tags:

views:

98

answers:

4
Q: 

Allow Get request but only in my domain?

On my site i can trigger certain things using GET request like the ability to hide or delete a comment. I am not very worried but it would be pretty annoying if someone design an attack using img src= url to delete comments or emails. Is there a way to prevent this?

I am using httponlycookies for the login data. if someone does img src or a variant would the request submit valid login cookies? should i use POST instead? Would POST slow the site down? There are very little cookies so a browser may submit cookies and POST with one packet however i dont know if POST and cookies must be seperate.

all of these answers seem to have something to consider not mentioned in the other 3. So i'll turn this into a wiki so people can be more informed instead of looking at accepted answer.

+1  A: 

should i use POST instead? Would POST slow the site down? There are very little cookies so a browser may submit cookies and POST with one packet however i dont know if POST and cookies must be seperate.

Yes, it is better to use POST in your case for lowering the security risk. And don't favor speed over security, go with the POST and yes post and cookie won't clash with each other.

In the end, i would suggest you to go for the html purifier for making your urls and forms safe.

Sarfraz  2010-02-11 04:11:58
I guess its time to learn how to make links submit POST data. I might as well do this with AJAX
acidzombie24  2010-02-11 04:35:19
@acidzombie24: as you said "should i use POST instead?", go ahead if you can so that is atleast hard to alter the stuff by url tempering.
Sarfraz  2010-02-11 04:39:45
POST does nothing to prevent this attack, which is known as Cross-Site Request Forgery. I can just as easily put an auto-submitting POST form on my site as include an image. POST also does not differ from GET in server or network processing time or resource usage. There is no performance difference.
Ben Walther  2010-02-11 07:38:44
@Ben Walther: thanks for sharing that
Sarfraz  2010-02-11 08:08:12
+1  A: 

The risk you're discussing is known as a cross-site request forgery attack. The standard way to prevent it is to double-post cookies (once in the cookies, once in the form), or some other unique token that an attacker could not guess via an included image. For more details on detection and prevention, see:

http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Ben Walther  2010-02-11 07:41:26
@ your comment, i never heard of being able to send POST data with an image. Would this technique also post cookies?
acidzombie24  2010-02-11 08:10:35
An image isn't required but it helps. Example:<form method='POST'><input type='hidden' name='x' value='y'/><img src='image' onload='javascript:form[0].submit()' /></form>
Ben Walther  2010-02-11 08:33:10
The form would not post cookies, but the user's request would include the cookies in the standard cookie header.
Ben Walther  2010-02-11 08:33:42
@ben, no IMG tags are only used in CSRF GET based exploitation. You have to use a FORM for POST based like you did. Images do not help you make a post request.
Rook  2010-02-11 17:58:25
Michael, regarding your correction, see the first sentence of my comment: "An image isn't required but it helps." Using an image's onload javascript event is a great way to trigger a form post.
Ben Walther  2010-02-14 07:46:28
+2  A: 

You have confused a couple of common issues here.

Firstly, the attack as others have noted is called is a cross-site request forgery. It is possible to cause either GETs or POSTs from another domain and because the request is going to your domain it will pass in the cookies for your domain which include the session details.

To counter this, when a user logs in, generate a token (some random string of characters) that all links and forms on your site pass back during that session. When the request comes in, take the session details from the cookie and look up which token should GETted/POSTed for that session. If the correct token has not been passed then you can ignore the request/inform the user/log detail for further investigation. I'd recommend the last as when implementing this you may well miss a few links or forms which will then not work. Users may simply leave rather than taking the time to inform you of this.

Secondly, GET requests should be safe (i.e. simply cause data to be displayed with no changes made) and POSTs should be used for all data altering requests. Firstly in case a spider manages to follow a link, causing changes that spiders shouldn't be causing. Secondly as a backup to the user refreshing the page - the browser should remind them that they will be resubmitting the request and do they want to continue. I say as a backup because all your requests should be written in such a way that they are harmless/ignored if resubmitted i.e. don't have a button that requests the last item to be deleted, instead look up that the id of the last item is 1423 and have the button request that 1423 is deleted; if this is submitted twice then the second time around your validation should notice that item 1423 is no longer there and cause no further changes.

status203  2010-02-12 16:52:25
From mar's answer, I obviously wasn't clear enough in the last para. GETs are not inherently safe, I meant that they should only be used for safe requests.
status203  2010-02-15 15:59:40
+1  A: 

I mostly agree with status203. Apart from what he has said about POST not really helping, a couple of comments:

1) GETs are safe only if the application is written correctly. I have seen applications where GETs are used even to make changes. Secondly on this topic, if you return JSON data as an array and your entry point is not protected against CSRF, on some browsers the attacker may be able to steal victim's data by enticing victim to website that has <script src="http://yourserver/json_rsp_entrypoint&quot;&gt;&lt;/script&gt; and then overriding the array constructor.

2) Secondly while having something random in the param and then checking with what is stored in session works, this is complicated if you do not have sessions (such as if you have hundreds of servers and don't want to take the hit of querying DB). So, one alternative is to include MD5(session_cookie) as the CSRF token. This allows you to verify without resorting to DB and attacker without XSS can't get session_cookie and so can't construct token. Note that I do not recommend using session_cookie itself as the token because it creates worse problems - when referrer is leaked or if in hidden form field, then if page is saved.

mar  2010-02-12 19:34:14

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security