Passing parameters in URL
John Bokma
john at castleamber.com
Thu Feb 4 12:22:27 EST 2010
"Diez B. Roggisch" <deets at nospam.web.de> writes:
> Am 04.02.10 01:42, schrieb John Bokma:
[..]
>> Maybe you should think about what happens if someone posts:
>> <img src="http://example.com/item_delete?id=123"> to a popular forum...
>
> And the difference to posting
>
> from urrlib2 import open
> from urllib import encode
>
> open("http://example.com/item_delete", data=encode([("id", "123")]))
>
> to that same public "hacker" forum is exactly what?
Imagine that a user of example.com, logged in at example.com (i.e. with
a valid session ID in a cookie), visits the aforementioned (by me)
forum, and that he has an item 123. It will be deleted.
> If your webapp happens to allow item_delete to be called without
> authentication & authorization, then *that's* your problem.
You now understand that *with* a & a a GET request can be *still* harmful?
--
John Bokma j3b
Hacking & Hiking in Mexico - http://johnbokma.com/
http://castleamber.com/ - Perl & Python Development
More information about the Python-list
mailing list