Posted by Chris Shiflett on 03/22/06 20:37

> I can easily write some PHP code (or Java, C/C++ or whatever) which will
> simulate submission from your page. Not hard to do at all.

Sure, but the important difference is that your PHP script is not me.
It can't fire people. In fact, your PHP script can't do anything more
than what you can already do with a browser. You've gained nothing.

A CSRF attack would cause me to send a request to fire someone.

> I'm disappointed in the tone used by Chung Leong.

I won't pretend to know any history. I just prefer to ignore "tone" and
focus on technical details.

> As for actually writing the program to do it - it's not worth my time or
> bother.

I only suggested this, because I'm quite sure you can't do it. I'm not
trying to challenge you, because I'm sure you can write code to do
exactly what you're thinking, but that won't achieve anything. However,
if I'm wrong, an example would both clarify and prove your point.

[Back to original message]