Posted by Chris Shiflett on 03/22/06 02:58

Pardon my intrusion, but I hope to clarify the topic being disputed.

Jerry Stuckle wrote:
> I know *exactly* how auto-form-submission works. In fact, from your
> posts here I expect I know a lot more about it than you do. I've been
> in this field too many years. What you describe is only *one way* it can
> happen. And it's not even the most common.

I'm always disappointed to see ego impact professional discourse. More
importantly, the "one way" Chung Leong describes is a type of attack
called cross-site request forgeries (CSRF), and the safeguard he
recommends is better than you seem to think.

Code can offer clarity, so consider a simple HTML form:

<form action="http://example.org/fire.php" method="POST">
<input type="text" name="employee" />
<input type="submit" value="FIRE" />
</form>

If I am authorized to fire employees, then a request sent by me to fire
a particular employee is successful. A CSRF attack would cause me to
send such a request without my knowledge.

Now, imagine that either of the following safeguards are implemented:

1. A unique, one-time token is included in the form as a hidden form
field as well as stored in my session. A request to fire an employee is
only considered valid if the token in the request matches the one in
the session.

2. Referer is checked. An optimal implementation would take into
account whether my browser typically includes Referer, but let's assume
it does.

Now, if you really think Chung Leong is wrong, you should be able to
demonstrate a CSRF attack that is successful despite such safeguards.
You might be right, but only proof will convince me.

[Back to original message]