Passing parameters in URL
Diez B. Roggisch
deets at nospam.web.de
Thu Feb 4 13:07:39 EST 2010
Am 04.02.10 18:22, schrieb John Bokma:
> "Diez B. Roggisch"<deets at nospam.web.de> writes:
>
>> Am 04.02.10 01:42, schrieb John Bokma:
>
> [..]
>
>>> Maybe you should think about what happens if someone posts:
>>> <img src="http://example.com/item_delete?id=123"> to a popular forum...
>>
>> And the difference to posting
>>
>> from urrlib2 import open
>> from urllib import encode
>>
>> open("http://example.com/item_delete", data=encode([("id", "123")]))
>>
>> to that same public "hacker" forum is exactly what?
>
> Imagine that a user of example.com, logged in at example.com (i.e. with
> a valid session ID in a cookie), visits the aforementioned (by me)
> forum, and that he has an item 123. It will be deleted.
The webapp must be actually preventing the processing of GET-requests
for the aciton in question. This isn't the case by default for many of
them, in fact at least e.g. TurboGears, as well as PHP offer you ways to
treat GET and POSTvars the exact same way. So unless the programmer is
aware of this potential problem, it won't help.
And in the same way one can embed a form with a post-action that leads
to the full http://example.com-url into an external page. So it is
equally as dangerous. Yes, links are easier, no doubt about that. But
POST doesn't magically make you safe from those kinds of attacks.
The only way to prevent this are short-lived sessions, or action-tokens
of some kind, as Paul mentioned before.
Diez
More information about the Python-list
mailing list