CSRF (Was: XSS evasion)

[Chris Shiflett <sh...@php.net>]

Clinton Gormley wrote:
> 3) Instead of serving the image, the server at www.malicious-site.com
> issues a 302 HTTP Status code which redirects Joe Bloggs to
> http://my.website.com/change_password?new_password=abcde
> 
> So his password gets changed, because this is coming from a live
> session, the request his from his own browser and sends the session
> cookie, and he doesn't see the image because it the return page isn't
> an image.

By the way, this is why section 9.1.1 of RFC 2616 states the following:

"In particular, the convention has been established that the GET and
HEAD methods SHOULD NOT have the significance of taking an action other
than retrieval. These methods ought to be considered "safe". This allows
user agents to represent other methods, such as POST, PUT and DELETE, in
a special way, so that the user is made aware of the fact that a
possibly unsafe action is being requested."

Chris

-- 
Chris Shiflett
http://shiflett.org/