goatfriends.com/cancel_acct.aspx?confirmed=Yes">
With this simple image tag, our attacker has now guaranteed that every user that
visits her profile will automatically delete his or her own profile, with no visible indication
that the browser made the request on the user??™s behalf.
Cross-Domain POSTs
Popularity: 7
Simplicity: 4
Impact: 9
Risk Rating: 8
We have outlined several basic methods of performing a CSRF attack using a dangerous
action that can be invoked with a single HTTP GET request. But what if the attacker
Chapter 3: Cross-Domain Attacks 81
needs to perform an action carried out by the user submitting an HTML form, such as a
stock trade, bank transfer, profile update, or message board submission?
The document specifying version 1.1 of the Hypertext Transfer Protocol (HTTP/1.1),
RFC 2616, predicts the possibility of CSRF in this section specifying what HTTP methods
may perform what actions.
Safe Methods
Implementors should be aware that the software represents the user in their
interactions over the Internet, and should be careful to allow the user to be aware
of any actions they might take which may have an unexpected signi?¬? cance to
themselves or others.
Pages:
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177