Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is CSRF possible with PUT or DELETE methods?

Tags:

security

csrf

Is CSRF possible with PUT or DELETE methods? Or does the use of PUT or DELETE prevent CSRF?

like image 784
4esn0k Avatar asked Aug 06 '12 17:08

4esn0k


People also ask

Does CSRF work with POST requests?

Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed.

What is the best Defence against CSRF?

The most effective method of protecting against CSRF is by using anti-CSRF tokens. The developer should add such tokens to all forms that allow users to perform any state-changing operations.


1 Answers

Great question!

In a perfect world, I can't think of a way to perform a CSRF attack.

  • You cannot make PUT or DELETE requests using HTML forms.
  • Images, Script tags, CSS Links etc all send GET requests to the server.
  • XmlHttpRequest and browser plugins such as Flash/Silverlight/Applets will block cross-domain requests.

So, in general, it shouldn't be possible to make a CSRF attack to a resource that supports PUT/DELETE verbs.

That said, the world isn't perfect. There may be several ways in which such an attack can be made possible :

  1. Web Frameworks such as Rails have support for "pseudo method". If you put a hidden field called _method, set its value to PUT or DELETE, and then submit a GET or POST request, it will override the HTTP Verb. This is a way to support PUT or DELETE from browser forms. If you are using such a framework, you will have to protect yourself from CSRF using standard techniques

  2. You may accidentally setup a lax response headers for CORS on your server. This would allow arbitrary websites to make PUT and DELETE requests.

  3. At some point, HTML5 had planned to include support for PUT and DELETE in HTML Forms. But later, they removed that support. There is no guarantee that it won't be added later. Some browsers may actually have support for these verbs, and that can work against you.

  4. There may just be a bug in some browser plugin that could allow the attacker to make PUT/DELETE requests.

In short, I would recommend protecting your resources even if they only support PUT and DELETE methods.

like image 67
Sripathi Krishnan Avatar answered Sep 20 '22 23:09

Sripathi Krishnan