DEV Community 👩‍💻👨‍💻

Discussion on: Evil Session Tokens

rmorschel profile image
Robert Morschel Author

You guys are absolutely right. The line "the hacker now has access to Joe's back-end data" with respect to GET requests is very misleading in this example.

Allow me a little justification, in my defense.

At a previous company, we were CSRF hacked as follows:

  • some of our GET endpoints had side effects, which allowed the phisher to do actions on the client's account
  • we have a suite of REST endpoints for mobile clients, which the phisher was able to use because CORS can't be applied
  • we had a JS injection vulnerability that was exploited using POST, where XmlHttpRequest was sent using ENCTYPE - not sure on the details

So in our case, the phisher had full access to client data, which is not the case with SIMPLES.COM.

Thank you all. I'll edit the post appropriately.

*hangs head in abject shame

joncalhoun profile image
Jon Calhoun

There is no shame in correcting a mistake. I'm sure I've made my fair share of them in writing. :)