http://drm.disqus.com/https://danielmiessler.com/about/enSat, 29 Mar 2008 22:27:16 -0000https://danielmiessler.com/blog/restful-programming-and-csrf#comment-11183641<p>It's a dirty little secret of rails apps that many of them are susceptible to csrf attacks. However, if you designed your rails app correctly (i.e. GET actions only show data, to delete you have to post with DELETE) it makes it a little more difficult, because you need a POST to change any data.</p><p><br></p><p>There was a twitter 'virus' a few months that we discovered and destroyed that essentially created a form which created a tweet and POSTed the form automatically with javascript.</p><p><br></p><p>My colleague Rick Olson wrote CSRF_killer plugin which automatically puts some hidden form variables into all of your forms, and effectively squashes any such attacks.</p>court3naySat, 29 Mar 2008 22:27:16 -0000https://danielmiessler.com/blog/restful-programming-and-csrf#comment-11183638<p>Ah, yes, I remember this now. Well, as I said, I wasn't claiming expertise, and I did in fact get a crucial piece wrong in this flash of "insight". The URLs were right, up until the action piece - the point of REST is to have the HTTP verb be the action. Not for the URL to indicate the action.</p><p><br></p><p>Right.</p><p><br></p><p>Thanks for the reminder, guys. That'll teach me to make 5 minute posts on a whim.</p>Daniel MiesslerSat, 29 Mar 2008 22:26:13 -0000https://danielmiessler.com/blog/restful-programming-and-csrf#comment-11183635<p>RESTful URIs are associated with resources, not actions. URIs specifying actions are not RESTful. For RESTful web applications, HTTP verbs -- GET, PUT, POST, DELETE -- provide the actions.</p>Steve VinoskiSat, 29 Mar 2008 21:27:37 -0000https://danielmiessler.com/blog/restful-programming-and-csrf#comment-11183632<p>Your examples don't look like REST to me.</p><p><br></p><p>My understanding as as follows:</p><p><br></p><p><a href="http://acme.com/products/cart/display" rel="nofollow noopener" target="_blank" title="http://acme.com/products/cart/display">http://acme.com/products/ca...</a> isn't RESTful<br>but <a href="http://acme.com/products/cart/" rel="nofollow noopener" target="_blank" title="http://acme.com/products/cart/">http://acme.com/products/cart/</a> with a action of GET is</p><p><br></p><p><a href="http://acme.com/account/delete" rel="nofollow noopener" target="_blank" title="http://acme.com/account/delete">http://acme.com/account/delete</a> isn't RESTful<br>but <a href="http://acme.com/account/" rel="nofollow noopener" target="_blank" title="http://acme.com/account/">http://acme.com/account/</a> with an action of DELETE is</p><p><br></p><p>Your other examples seem wrong too</p><p><br></p><p>You wouldn't have <a href="http://somesite.com/product/1234/purchase" rel="nofollow noopener" target="_blank" title="http://somesite.com/product/1234/purchase">http://somesite.com/product...</a><br>You'd have <a href="http://somesite.com/basket/" rel="nofollow noopener" target="_blank" title="http://somesite.com/basket/">http://somesite.com/basket/</a> and to purchase a product you'd access it with POST and the product id</p><p><br></p><p><a href="http://somecause.com/campaign/donate" rel="nofollow noopener" target="_blank" title="http://somecause.com/campaign/donate">http://somecause.com/campai...</a> is the same deal, you'd do a POST on <a href="http://somecause.com/campaign/" rel="nofollow noopener" target="_blank" title="http://somecause.com/campaign/">http://somecause.com/campaign/</a> to update it with a new donation</p><p><br></p><p>Any RESTful URL should be completely harmless when accessed via GET.</p>Andrew IngramSat, 29 Mar 2008 16:16:23 -0000https://danielmiessler.com/blog/restful-programming-and-csrf#comment-11183630<p>Actions are still actions regardless of whether they are performed via RESTful URLs or not. </p><p><br></p><p>Your example:<br><a href="http://somesite.com/product/1234/purchase" rel="nofollow noopener" target="_blank" title="http://somesite.com/product/1234/purchase">http://somesite.com/product...</a></p><p><br></p><p>is no easier/harder to abuse with CSRF than something like:</p><p><br></p><p><a href="http://somesite.com/cgi-bin/purchase.cgi?product=1234" rel="nofollow noopener" target="_blank" title="http://somesite.com/cgi-bin/purchase.cgi?product=1234">http://somesite.com/cgi-bin...</a></p><p><br></p><p>When dealing with CSRF, you just need to remember that any major actions need to be verified by making the user re-login (or equivalent). Use of timeouts can also be helpful: "Hey, this user last visited 5 days ago and now the first page he/she is hitting is a checkout page?"</p>Joe SchmoeSat, 29 Mar 2008 15:25:06 -0000