function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
LaurentDelcLaurentDelc 

XSRF: using POST instead of GET in VF page

Hi, 

 

I get XSRF issues on some of my VF pages when I use the security tool. The response I got from our Salesforce security contact is:

"If you convert the requests to POST, the platform anti-csrf protection automatically kicks in."

Also I can read in the security repot:

"

A more appropriate fix is to not perform actions within a GET request that will save something in the
database and simply change these to use a POST body instead.

A more appropriate fix is to not perform actions within a GET request that will save something in thedatabase and simply change these to use a POST body instead.

 

"

Alright we know the solution. But how do we do that? I have searched the Visualforce documentaiton and couldn't find anything on using POST forms.

 

Can anyone explain to me how to do that?

 

Cheers,

 

Laurent

BrendanOCBrendanOC

The default action of an <apex:form> is to POST. For example, this form:

<apex:page standardController="Account">
    <apex:form>
        <apex:pageBlock title="My Content" mode="edit">
            <apex:pageBlockButtons>
                <apex:commandButton action="{!save}" value="Save"/>
            </apex:pageBlockButtons>
            <apex:pageBlockSection title="My Content Section" columns="2">
                <apex:inputField value="{!account.name}"/>
                <apex:inputField value="{!account.site}"/>
                <apex:inputField value="{!account.type}"/>
                <apex:inputField value="{!account.accountNumber}"/>
            </apex:pageBlockSection>
        </apex:pageBlock>
    </apex:form>
</apex:page>

 

 

That form is using the POST method with the ViewState CSRF token automatically, so there is no vulnerability.

 

Code that parses the Query String such as ApexPages.CurrentPage.getParameters().get('id') is allowing the GET method.  If you were to then perform some DML based on the value of 'id', you would be vulnerable to CSRF.  To get a better understanding of what the browser is doing and see the GET and POST verbs in action, you can use an inline proxy to see the raw HTTP requests and responses.

 

Check out the Writing Secure Apps on the Force.com Platform online training class here: http://salesforce.acrobat.com/writingsecureapps/

There is a section on using an inline Proxy, as well as a section on CSRF attacks and defense.

 

Hope that helps!