User: Password:
|
|
Subscribe / Log in / New account

Cross-site request forgery

Cross-site request forgery

Posted Oct 19, 2007 9:34 UTC (Fri) by ekj (guest, #1524)
In reply to: Cross-site request forgery by jwb
Parent article: Cross-site request forgery

Sure they can have side-effect, the quote you include says as much.

What it says is that "the side-effects of N > 0 identical requests is the same as for a single
request."

In other words, for a GET-request it should make no difference if you visit the link 1 time,
or 200 times, the side-effects should be identical. There is allowed to be a difference
between visiting the link 1+ times, and visiting 0 times.

That's NOT the same as saying there should be no side-effects.

An example: Voting for a story on Digg. If you vote yes for a certain story once, or 100
times, the result is the same: your vote is registered as a yes.

Another example: Adding a certain book to your amazon wishlist. Whether you do the relevant
GET-request once or 10 times, the side-effect is the same: that book will appear on your
wishlist. (once, not 10 times!)

So no, respecting the difference between GET and POST will do precisely nothing at all to
combat this particular vulnerability, though it would have -other- advantages.


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds