I am displaying a list of records on a web page. Put a link to delete for each record. Given that the links only generate Get requests, is there a security issue? Or what is the correct method of requesting to delete the record to the server?
<div>
<p>Record 1<p>
<a href='server/Page/?handler=deleteHandler&id=1' >Delete Record 1<a/>
<div>
<div>
<p>Record 2<p>
<a href='server/Page/?handler=deleteHandler&id=2' >Delete Record 2<a/>
<div>
<div>
<p>Record 3<p>
<a href='server/Page/?handler=deleteHandler&id=1' >Delete Record 3<a/>
<div>
CodePudding user response:
It isn't a security issue, but it can be an issue.
GET requests are supposed to be safe.
Request methods are considered "safe" if their defined semantics are essentially read-only; i.e., the client does not request, and does not expect, any state change on the origin server as a result of applying a safe method to a target resource. Likewise, reasonable use of a safe method is not expected to cause any harm, loss of property, or unusual burden on the origin server.
There was a case, sadly I can't find documentation for it now, where someone installed a browser plugin to precache links from any webpage they viewed so there would be less of a delay from clicking the link to viewing the page.
This person logged into a web forum to which they had admin access, and the precacher followed all the delete links and deleted every post on every page of every thread the admin read.
Or what is the correct method of requesting to delete the record to the server?
Use a button, not a link.
This can be either a submit button that submits a POST form, or a button hooked into Ajax that makes a suitable request (with the POST or DELETE method).
That said, you do have a security issue. It just isn't directly related to your use of links. You are vulnerable to CSRF attacks.