LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Cross-site request forgery

Cross-site request forgery

Posted Oct 18, 2007 10:44 UTC (Thu) by epa (subscriber, #39769)
In reply to: Cross-site request forgery by elanthis
Parent article: Cross-site request forgery 

A hidden form that automatically sends POST requests to some other site without user
intervention?  Do you have an example?  I'm just surprised that this is allowed by
Javascript's security model (as tightened up by recent browsers).

Of course I agree strongly with the grandparent; don't use GET requests for stateful
operations.  That is just asking for trouble.  I once worked in a web development shop where
the policy was that clickable links were somehow cooler than form submit buttons, so the user
management page had a 'delete' link for each user.  A customer was using a web accelerator
program that prefetches links (a perfectly allowable thing to do, provided it just GETs) and
deleted all users from the site.

(Log in to post comments)

Hidden POST forms

Posted Oct 19, 2007 0:53 UTC (Fri) by jamesh (guest, #1159) [Link]

It is trivial to create such a page. An outline of such an attack is:

  1. Include an iframe on your page, possibly hidden. Something like "<iframe name="foo" style="display: none"></iframe>
  2. Add a form element on the page with target="foo" as an attribute. This will cause the post to be loaded into the hidden iframe.
  3. Set the action attribute of the form to the site you want to attack, and the method to "post".
  4. Include all the form data you want as hidden form fields.
  5. Add an onload handler to the page that calls the submit() method on the form.

It worked pretty well in the browsers I tried, and doesn't give the user any indication that the form post occurred. So it isn't enough to just put all your unsafe operations into POST requests.

"Referer" header checking and nonces as hidden form fields will stop this attack dead in its tracks though, so they are worth investigating.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds