If the application uses RESTful communication, does it need to have CSRF protection for PUT and DELETE requests? As per my understanding its not possible to trigger a PUT request using JavaScript and hence I would like to know if there is any exploitation possible with CSRF PUT..
1 Answers
It is possible to do PUT and DELETE using Javascript with XMLHttpRequest. But in when using these methods for a cross-origin request preflight request will be done to check if the server is willing to accept this cross-origin PUT/DELETE. Unless the server explicitly allows this request the actual PUT/DELETE will not be done. For more information about CORS and preflight requests see http://www.html5rocks.com/en/tutorials/cors/.
Note that in (older) browsers which do not support CORS XMLHttpRequest is restricted by the same origin policy. This means that the browser will not even attempt to send a cross-origin request this way and thus no CSRF is possible.
In summary: unless your server is configured to accept cross origin requests CSRF with PUT or DELETE is not possible.
- 190,458
- 29
- 381
- 434
-
[Flash player](https://stackoverflow.com/a/12650149/2284570) ? – user2284570 Feb 18 '19 at 23:15
-
@user2284570: I'm not really sure what you are trying to achieve with this short and link-only comment. But flash has a similar protection, i.e. one needs to have an appropriate crossdomain.xml file at the target to allow cross-site requests. – Steffen Ullrich Feb 19 '19 at 03:17
-
1With a 307 redirect you can make almost any request Flash player request can do anywhere (and always with cookies)… crossdomain.xml is about reading the resulting response not sending the data. – user2284570 Mar 12 '19 at 23:38