Securing my site

Question

I'm auditing my website with w3af.

It says it found several issues on my site, but I doubt that's really the case.

One of the issues is:

The URL: http://localhost/en/login is vulnerable to cross site request forgery. It allows the attacker to exchange the method from POST to GET when sending data to the server.

I'm pretty sure it isn't vulnerable to a csrf attack since I have used crsf protection in my forms (field with token which gets checked).

So I am wondering what this message is about:

It allows the attacker to exchange the method from POST to GET when sending data to the server.

I don't care if an attacker would be able to switch from POST to GET or do I?

And if I do can you please explain why I do? How can it be exploited?

Answer 1

Coming from a point of view of no experience with w3af, I would assume that it has some pretty basic rules written into it and it checks those rules and reports back on them.

In this case it will probably check whether you have used $_REQUEST instead of $_POST or $_GET and then report an error if it finds it, regardless of the efforts you have made to secure this.

Everyone will code differently so getting software to understand the context of your code would be an amazing achievement and probably be beyond the intelligence of this one. This is not meant as an attack on the software, but to be honest if I came up with some program that could understand the context and intent of someone else's code, I wouldn't be giving it away on sourceforge :p

Does it matter? Maybe depending on how well you have secured the site (see Marc B's (+1) comment above).

-- EDIT --

By using $_REQUEST instead of specifying $_POST or $_GET you have left yourself open to an area of attack that is easily closed. Not only this but $_REQUEST also includes $_COOKIE. This has been covered here rather than me duplicating someone else's answer.