On Oct 01, 2008, at 18:32 , Dan Allen wrote:
A contact form is another great example. It would be no
different than implementing a GET request with a page action. No doubt
I am not thinking of some obscure attack, so feel free to cite where
my logic is faulty, but I believe there is such a thing as a stateless
page.
Well, would you like that some "other" website submits "your" contact
form a hundred times? This might be just a DoS instead of a real
exploit but it's still not something I would want to happen.
Anything that is non-safe, in the sense that resource state is
permanently modified, no matter if you abuse a GET (which is supposed
to be safe) or have a XSRF POST problem, is potentially damaging. Even
a login form can be problematic, let's say you lock the account after
three unsuccessful authentication attempts?