Difference between revisions of "LII:Web Application Security Guide/Prefetching and spiders"
Shawndouglas (talk | contribs) (Created as needed.) |
Shawndouglas (talk | contribs) m (Added further reading) |
||
Line 4: | Line 4: | ||
===To prevent this=== | ===To prevent this=== | ||
* Use POST requests instead of GETs for anything that triggers an action | * Use POST requests instead of GETs for anything that triggers an action. | ||
===Rationale=== | ===Rationale=== | ||
GET requests can be automatically and unintentionally triggered, for example by crawlers. For example in cases of “delete” buttons, this can cause a single user with aggressive Prefetching to accidentally delete everything just by opening a listing page. POST requests are expected to trigger actions and are handled accordingly by browsers. | GET requests can be automatically and unintentionally triggered, for example by crawlers. For example in cases of “delete” buttons, this can cause a single user with aggressive Prefetching to accidentally delete everything just by opening a listing page. POST requests are expected to trigger actions and are handled accordingly by browsers. | ||
==Further reading== | |||
* [[wikipedia:GET (HTTP)|GET]] | |||
* [[wikipedia:Instruction prefetch|Instruction prefetch]] | |||
* [[wikipedia:POST (HTTP)|POST]] | |||
* [[wikipedia:Web crawler|Web crawler]] | |||
==Notes== | ==Notes== | ||
The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Prefetching_and_Spiders the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license. | The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Prefetching_and_Spiders the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license. |
Latest revision as of 22:54, 10 August 2016
Prefetching and spiders
GET requests are not supposed/expected to trigger actions/changes and are happily followed by various browser mechanisms like Prefetching or Session Restore and by crawlers. This can cause unwanted actions to be triggered completely without user interaction and without the need for an attack.
To prevent this
- Use POST requests instead of GETs for anything that triggers an action.
Rationale
GET requests can be automatically and unintentionally triggered, for example by crawlers. For example in cases of “delete” buttons, this can cause a single user with aggressive Prefetching to accidentally delete everything just by opening a listing page. POST requests are expected to trigger actions and are handled accordingly by browsers.
Further reading
Notes
The original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.