web - Should we check CSRF token for read only actions -


i have heard many people suggest csrf handling mandatory actions performing write operations optional action performing read operations?

if yes please share example how action performs read operations can exploited using csrf.

ordinarily safe methods not have protected against csrf because not make changes application (i.e "read only" state in question), , if they're returning sensitive information protected same origin policy in browser.

if site implemented per standards, requests should safe , therefore not need protection.

however, there specific case "cross-site dos"* attack executed. reporting page takes 10 seconds execute, 100% cpu usage on database server, , 80% cpu usage on web server.

users of website know never go https://yoursite.example.org/analysis/getreport during office hours because kills server , gives other users bad user experience.

however, chuck wants knock yoursite.example.org website offline because doesn't or company.

on busy forum company employees frequent, http://forum.walkertexasranger.example.com, sets signature following:

<img src="https://yoursite.example.org/analysis/getreport" width=0 height=0 />

every time 1 of chuck's posts read employees, authentication cookies sent https://yoursite.example.org/analysis/getreport, site processes request , generates report, , system goes offline because cpu eaten these constant requests.

so though request request , doesn't make permanent changes system (aka "safe"/"read only"), in fact bringing down system every time ran. therefore, better protect csrf prevention method , maybe implement post.

*xsdos, or cross-site denial if service, phrase coined me, don't go googling it.


-

Comments

Post a Comment

Popular posts from this blog

amazon web services - S3 Pre-signed POST validate file type? -

i know it's possible put limit on file size content-length-range header. possible validate file type? https://docs.aws.amazon.com/amazons3/latest/dev/httppostforms.html#policyconditions i see there content-type header, if set say, audio/mp3 allow mp3 files , return error if file not mp3? i found previous question answers mention validating file size: s3 direct upload restricting file size , type you can specify content-type @ post request. you can specify @ signature, post must done content-type: { "expiration": "2007-12-01t12:00:00.000z", "conditions": [ {"acl": "public-read" }, {"bucket": "johnsmith" }, {"content-type: "audio/mp3"} ] } creating html form (using aws signature version 4) edit: @ previous question found, checking content-type.
Read more

c# - Check Keyboard Input Winforms -

i wondering if instead of doing this protected override void onkeydown(keyeventargs e) { if (e.keycode == keys.a) console.writeline("the key down."); } i set bool method , this: if(keydown(keys.a)) // whatever here i've been sitting here ages trying figure out how it. can't wrap head around it. in case wondering, plan call bool inside different method, check input. since want perform action after pressing key, using keydown event enough. but in cases suppose want check if specific key down in middle of process, can use getkeystate method way: [dllimport("user32.dll", charset = charset.auto, exactspelling = true)] public static extern short getkeystate(int keycode); public const int key_pressed = 0x8000; public static bool iskeydown(keys key) { return convert.toboolean(getkeystate((int)key) & key_pressed); } you should know, each time check key state using example iskeydown(keys.a) method returns true if ke...
Read more