[wp-hackers] Re: wp-hackers Digest, Vol 25, Issue 18
Tom Barta
tbarta at gmail.com
Wed Feb 14 05:49:27 GMT 2007
Elliotte Harold wrote:
> Alex Günsche wrote:
>
> > With the same arguments, you could say that other managing actions which
> > are triggered by a GET request are vulnerable to XSS attacks.
>
> Very possibly they are. Managing actions should not be triggered by GET
> requests. Full stop.
>
> I doubt we've seen the last or the worst of these attacks.
I agree on both cases:
Per the HTTP RFC(s), GET requests are supposed to be idempotent.
Technically, this means that GETting a URL any number of times will
have identical side effects to getting it once. In practice, this
usually means that GET requests have no long-standing side-effects.
If admin pages operate on a POST -> redirect -> GET pattern, then we
get several advantages:
- A web browser's back/forward operations won't ever trigger a
duplicate action (since browser history skips over the redirected
POSTs)
- A web browser won't prompt the user to re-submit POSTed data,
because no POSTed page ever produces output.
However, I don't know that this by itself will stop XSS attacks. A
link could simply have a javascript action to create and submit an
arbitrary form as a post. I do know there are a lot of places (see
http://trac.wordpress.org/ticket/3279) where Wordpress doesn't
properly escape its output, and every one of them is a potential
entrypoint for attacks.
--
Tom Barta
More information about the wp-hackers
mailing list