[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fixing CSRF exploits in Infrastructure



On Mon November 24 2008, Toshio Kuratomi wrote:

> I've been researching the CSRF exploit and how it affects our web apps
> recently.  The short story is that our code is pretty open to this at
> the moment.  I've written up a proposal for fixing this but it will
> require a lot of coding so I'd love to have some more eyes on it to make
> sure I'm not making any stupid mistakes.
>
> The proposal is here::
>   https://fedorahosted.org/fas/wiki/CSRF

From the proposal:
| make a GET request that can change state on the server

It is recommended to not use GET requests to change state on the server, 
therefore it would be probably better to change these GET requests to POST 
requests.

Regards,
Till

Attachment: signature.asc
Description: This is a digitally signed message part.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]