You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If Im a attacker, I will write a simple html form page with out any input field, set the form action to http://site.com/admin/user/delete/1.
Then I put the html to my server and send the url to site admin, if the site admin open my url and click the submit button, the csrf will not working and perform the user deletion.
If I put some js to the page make the form submit automatically, when the site admin open the url, who even no need to click the submit button.
If I post a page without any form data, like post
admin/user/delete/1
, the csrf_verify will not work and the user will be deleted.May be this line should change to:
The text was updated successfully, but these errors were encountered: