Securing Forms with POST is not enough · 18. Juni 2004, 18:07

A while ago I posted an entry that talked about the Dangers of using GET-Requests for actions that makes permanent changes to a site ( GET considered harmful; Sometimes). Jesse Ruderman made me aware that the avoidance of GET is not enough, and that the problem I described actually belongs to the wider area of Cross-Site Request Forgeries(CSRF).

POST raises the bar

Although after reading his link1 and doing a bit of Googling about CSRF I agree that using POST instead of GET is far from secure and that additional measures (see below) have to be taken, I do want to point out, that exploiting a wrongly used GET is easier than exploiting a POST-Request. While the former only requires the attacker to be able to insert image-tags, which is possible in lots of message-boards, comment forms etc., the latter requires the attacker to be able to insert Javascript-Code in the attacking code. However this is mostly a theoretical point and certainly no excuse for not securing your applications.

Why POST is not enough

A potential attacker can hide a form on a page and use Javascript to submit the form with the onload-handler. The result is the exact same as described in my first article on GET considered harmful. Since it is your browser making the Request the Server will authenticate you and the action will be processed (detailed explanation including neat pictures see link2).

Unique Tokens are the solution

When processing forms we have to make sure, that the form originated from our site, and was not simply copied over to somewhere else. The way to do this is via unique tokens that we pass as hidden values in the Form. Upon posting the form, we check the posted token with the token we saved locally, and only execure the requested action if they match.

Because these tokens are unique and they change with each request, it is not possible for a potential attacker to correctly “guess” or find out that token.

Further Reading

If you need more information please see the below links, they have some additional infromation and also explain the better known XSS-Attacks.

[1] CSRF-Explanation by Peter W. (via Jesse Ruderman)
[2] Chris Shiflett: Foiling Cross-Site Attacks (second half of the page)
[3] Web Application Security (MIT security camp) [.pdf, ~300kb]
[4] Chris Shiflett: PHP Security Workbook 55 Page PDF covering all major areas (Spoofing, XSS, CSRF, SQL Injections, Sessions, etc.)