In CSRF-3 use POST instead of GET to prevent solving the assignment just by opening the URL in a new tab

2019-07-12 17:25:05 +02:00 · 2019-07-12 17:25:05 +02:00 · 97f66545e0
commit 97f66545e0
parent 27125acd22
2 changed files with 2 additions and 2 deletions
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetFlag.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetFlag.java
@ -27,7 +27,7 @@ public class CSRFGetFlag extends Endpoint {
    @Autowired
    private PluginMessages pluginMessages;

-    @RequestMapping(produces = {"application/json"}, method = RequestMethod.GET)
+    @RequestMapping(produces = {"application/json"}, method = RequestMethod.POST)
    @ResponseBody
    public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

--- a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
+++ b/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
@ -14,7 +14,7 @@
    <div class="adoc-content" th:replace="doc:CSRF_Get_Flag.adoc"></div>

    <form accept-charset="UNKNOWN" id="basic-csrf-get"
-          method="GET" name="form1"
+          method="POST" name="form1"
          target="_blank"
          successCallback=""
          action="/WebGoat/csrf/basic-get-flag"