[seam-dev] XSRF and JSF2
Christian Bauer
christian.bauer at gmail.com
Wed Oct 1 13:00:15 EDT 2008
On Oct 01, 2008, at 18:32 , Dan Allen wrote:
> A contact form is another great example. It would be no
> different than implementing a GET request with a page action. No doubt
> I am not thinking of some obscure attack, so feel free to cite where
> my logic is faulty, but I believe there is such a thing as a stateless
> page.
Well, would you like that some "other" website submits "your" contact
form a hundred times? This might be just a DoS instead of a real
exploit but it's still not something I would want to happen.
Anything that is non-safe, in the sense that resource state is
permanently modified, no matter if you abuse a GET (which is supposed
to be safe) or have a XSRF POST problem, is potentially damaging. Even
a login form can be problematic, let's say you lock the account after
three unsuccessful authentication attempts?
More information about the seam-dev
mailing list