[UPHPU] receiving with $_REQUEST

Richard K Miller richardkmiller at gmail.com
Thu Feb 28 17:18:47 MST 2008


On Feb 28, 2008, at 4:56 PM, Wade Preston Shearer wrote:

>> You defeat the purpose of CSRF by going outside the domain to use the
>> script.  CSRF attacks go after already applied authentication by  
>> using it
>> against the user (using their security auth to do something  
>> malicious ).
>
> I wasn't referring to CSRF. I was showing how the shopping cart/ 
> MySpace example wasn't a valid reason against using REQUEST as the  
> hacker can fake-post to the shopping cart just as east as he can  
> fake-get to the shopping cart, both without user interaction.

Sure, a hacker can fake-GET or fake-POST and guess at the credentials.  
But in a CSRF, the hacker causes the user's browser to do a GET WITH  
the user's own cookies, which may mean the user is authenticated.  
Correct me if I'm wrong, but the hacker cannot force the browser to do  
a POST, WITH the users cookies for that domain, without user  
intervention.




More information about the UPHPU mailing list