[UPHPU] receiving with $_REQUEST
Richard K Miller
richardkmiller at gmail.com
Thu Feb 28 17:18:47 MST 2008
On Feb 28, 2008, at 4:56 PM, Wade Preston Shearer wrote:
>> You defeat the purpose of CSRF by going outside the domain to use the
>> script. CSRF attacks go after already applied authentication by
>> using it
>> against the user (using their security auth to do something
>> malicious ).
>
> I wasn't referring to CSRF. I was showing how the shopping cart/
> MySpace example wasn't a valid reason against using REQUEST as the
> hacker can fake-post to the shopping cart just as east as he can
> fake-get to the shopping cart, both without user interaction.
Sure, a hacker can fake-GET or fake-POST and guess at the credentials.
But in a CSRF, the hacker causes the user's browser to do a GET WITH
the user's own cookies, which may mean the user is authenticated.
Correct me if I'm wrong, but the hacker cannot force the browser to do
a POST, WITH the users cookies for that domain, without user
intervention.
More information about the UPHPU
mailing list