|

How to prevent Cross Site Foreign Script Attacks on your actions.

View: New views

5 Messages — Rating Filter: Alert me

	How to prevent Cross Site Foreign Script Attacks on your actions. by j0n4s.h4rtm4nn@googlemail.com :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Given someone mails you a link with html images that tries to fetch http://domain.tld/users/add_friend/5 - now the user is logged into a web client that fetches that URL. How do you protect your cake application to not modify data. HTML wise this should be a PUT or POST method not a GET method, but how do I tell cakephp to ignore GET requests? How do I furthermore setup the link in my application's view ($html- >link()) to use PUT or POST instead of GET? Will this be possible without a <form>? Any tips? King regards ionas82 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@... To unsubscribe from this group, send email to cake-php+unsubscribe@... For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
	Re: How to prevent Cross Site Foreign Script Attacks on your actions. by Miles J :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Well in most cases then not, if your on, says a users profile, you would submit to that page. Within that page you would check if a $_POST exists and then perform the add friend logic. On Nov 2, 8:44 am, Jonas Hartmann <j0n4s.h4rtm...@...> wrote: > Given someone mails you a link with html images that tries to fetchhttp://domain.tld/users/add_friend/5 > - now the user is logged into a web client that fetches that URL. > > How do you protect your cake application to not modify data. HTML wise > this should be a PUT or POST method not a GET method, but how do I > tell cakephp to ignore GET requests? > How do I furthermore setup the link in my application's view ($html- > >link()) to use PUT or POST instead of GET? Will this be possible > without a <form>? > > Any tips? > > King regards > ionas82 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@... To unsubscribe from this group, send email to cake-php+unsubscribe@... For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
	Re: How to prevent Cross Site Foreign Script Attacks on your actions. by j0n4s.h4rtm4nn@googlemail.com :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I don't entirely understand. How could I fill up $_POSTS by using $html->link? On Nov 3, 12:32 am, Miles J <mileswjohn...@...> wrote: > Well in most cases then not, if your on, says a users profile, you > would submit to that page. Within that page you would check if a > $_POST exists and then perform the add friend logic. > > On Nov 2, 8:44 am, Jonas Hartmann <j0n4s.h4rtm...@...> > wrote: > > > Given someone mails you a link with html images that tries to fetchhttp://domain.tld/users/add_friend/5 > > - now the user is logged into a web client that fetches that URL. > > > How do you protect your cake application to not modify data. HTML wise > > this should be a PUT or POST method not a GET method, but how do I > > tell cakephp to ignore GET requests? > > How do I furthermore setup the link in my application's view ($html- > > >link()) to use PUT or POST instead of GET? Will this be possible > > without a <form>? > > > Any tips? > > > King regards > > ionas82 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@... To unsubscribe from this group, send email to cake-php+unsubscribe@... For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
	Re: How to prevent Cross Site Foreign Script Attacks on your actions. by John Andersen-6 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Look at the documentation at CakePHP http://book.cakephp.org/view/55/The-Parameters-Attribute-params This will describe where CakePHP stores the form data and the URL data. Enjoy, John On Nov 2, 6:44 pm, Jonas Hartmann <j0n4s.h4rtm...@...> wrote: > Given someone mails you a link with html images that tries to fetchhttp://domain.tld/users/add_friend/5 > - now the user is logged into a web client that fetches that URL. > > How do you protect your cake application to not modify data. HTML wise > this should be a PUT or POST method not a GET method, but how do I > tell cakephp to ignore GET requests? > How do I furthermore setup the link in my application's view ($html- > >link()) to use PUT or POST instead of GET? Will this be possible > without a <form>? > > Any tips? > > King regards > ionas82 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@... To unsubscribe from this group, send email to cake-php+unsubscribe@... For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
	Re: How to prevent Cross Site Foreign Script Attacks on your actions. by Miles J :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message You dont. You turn it into a button or submit form, then post the data to the action and then do the processing. Or you do an AJAX call. On Nov 3, 5:08 am, "j0n4s.h4rtm...@..." <j0n4s.h4rtm...@...> wrote: > I don't entirely understand. How could I fill up $_POSTS by using > $html->link? > > On Nov 3, 12:32 am, Miles J <mileswjohn...@...> wrote: > > > Well in most cases then not, if your on, says a users profile, you > > would submit to that page. Within that page you would check if a > > $_POST exists and then perform the add friend logic. > > > On Nov 2, 8:44 am, Jonas Hartmann <j0n4s.h4rtm...@...> > > wrote: > > > > Given someone mails you a link with html images that tries to fetchhttp://domain.tld/users/add_friend/5 > > > - now the user is logged into a web client that fetches that URL. > > > > How do you protect your cake application to not modify data. HTML wise > > > this should be a PUT or POST method not a GET method, but how do I > > > tell cakephp to ignore GET requests? > > > How do I furthermore setup the link in my application's view ($html- > > > >link()) to use PUT or POST instead of GET? Will this be possible > > > without a <form>? > > > > Any tips? > > > > King regards > > > ionas82 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@... To unsubscribe from this group, send email to cake-php+unsubscribe@... For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---