Monday, December 8, 2014

Re: POSTing data to a django view from a stand alone script with CSRF

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJUhdoKAAoJEC0ft5FqUuEhYPoQAKCNRcSIYJqHAyZ1qJtlr32z
HqRYNvaHUc/cMSaocglqpqZOhQRazmlqw5XHNS+tygi6xGA8jdXzwJDwiGERSIWH
Isz5uD52X1O02WNafX6MfTYZ67LL2tBWSUClLbUIVnBwQB98RyWBQZew+pkeATp7
0ZC6a6lyy3yj0SK6zIXPdFfjIiNtpMmI0eP00pDLAzYewvYUWX04cJvPyD2/lNax
YyvIaGwxIDs/1dsbmik7Twed3jSKLNkiUDK9/H8WJaMRjVcgeeMZc9mQ+IYSsB4R
6XTOS4po5AUtoAe7OPUqTk0NPPOsaJc/CF6hnSyqjT9yr8yEWXT7QxygVxnqrmr6
99Cwi9VYvGH6v/+RAURPclU8GBolMAuWobsawN+NoYvR8rsgANw3Gm0GeEpJHYss
ZPTgi6f9/fm18zW1ZdxJt9cFNMoLx7BWW+P4QV5S6jeaRl7DZA+w1zTGCAoBUSmi
wt+fUsNaHC0DGwgrLwZOv2FKkxc1X5vyo6+zMB+D0HRviHl3ssWmCVmgvkZGLWd7
dXzr3RHQDDVEg8pOr5yyYDBmf+9hAtQtcTnxUnoBYANO+8lkhbryKp65lpG/FXIf
NSoL1rrgk4Pu5C8GEMseSKUUA3T3GzEOOAAQZkauv6MHUf6h5Tbx8umsZUmrfVwk
hX+zSdFy70r2OkAcUD0p
=sZwj
-----END PGP SIGNATURE-----
On 12/08/2014 09:51 AM, Larry Martell wrote:
> Right, but anyone can write a script to bypass the CSRF protection. I
> was surprised that it would be so easy to do that. I guess that's not
> what CSRF was designed to protect against.

Right. There's no such thing as a CSRF attack via script. The definition
of a CSRF attack is that you trick a user's browser into doing something
the user didn't intend to do, taking advantage of the
session/authentication stored in their browser cookies.

Carl

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/5485DA0A.1020409%40oddbird.net.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment