Galin Iliev's blog

Software Architecture & Development

Cross-site request forgery or how dangerous REST can be if not implemented properly

A friend of mine send me link to article in Wikipedia describing Cross-site request forgery attack.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF ("sea-surf"[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

(source Wikipedia)

This is how the attack is performed:

<img src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory">

Note how simple this would be?! And end user won’t see anything – not even image :).

This illustrates why is so important when implementing REST in your services to do only read on GET requests.