Skip to Main Content
Introduction to Tornado
book

Introduction to Tornado

by Michael Dory, Allison Parrish, Brendan Berg
March 2012
Beginner to intermediate content levelBeginner to intermediate
138 pages
3h 21m
English
O'Reilly Media, Inc.
Content preview from Introduction to Tornado

Request Vulnerabilities

One of the main security vulnerabilities facing any web application is the Cross-Site Request Forgery, usually abbreviated CSRF or XSRF, and pronounced “sea surf.” This exploit takes advantage of a security hole in the browser that permits a malicious attacker to inject code in a victim site that makes unauthorized requests on behalf of a logged-in user. Let’s look at an example.

Anatomy of a Cross-Site Request Forgery

Let’s say Alice is a regular customer of Burt’s Books. When she’s logged into her account on the online store, the website identifies her with a browser cookie. Now suppose an unscrupulous author, Melvin, wants to increase sales of his book. On a web forum that Alice frequents, he has posted an entry with an HTML image tag whose source is a URL that initiates a purchase in the online store. For example:

<img src="http://store.burts-books.com/purchase?title=Melvins+Web+Sploitz" />

Alice’s browser will attempt to fetch the image source and include the legitimate cookies in the request, unaware that instead of a picture of a kitten, the URL initiated a purchase at the online store.

Defending Against Request Forgeries

There are a number of precautions to take in order to prevent this sort of attack. The first requires some forethought on your part when developing your application. Any HTTP requests that cause side effects, like clicking a button to make a purchase, edit account settings, change a password, or delete a document, should use the HTTP

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

Microservices Patterns Video Edition

Microservices Patterns Video Edition

Chris Richardson
Spark: The Definitive Guide

Spark: The Definitive Guide

Bill Chambers, Matei Zaharia

Publisher Resources

ISBN: 9781449312787Errata Page