Is CSRF possible with PUT or DELETE methods?

4esn0k picture 4esn0k · Aug 6, 2012 · Viewed 24k times · Source

Is CSRF possible with PUT or DELETE methods? Or does the use of PUT or DELETE prevent CSRF?

Answer

Sripathi Krishnan picture Sripathi Krishnan · Aug 15, 2012

Great question!

In a perfect world, I can't think of a way to perform a CSRF attack.

  • You cannot make PUT or DELETE requests using HTML forms.
  • Images, Script tags, CSS Links etc all send GET requests to the server.
  • XmlHttpRequest and browser plugins such as Flash/Silverlight/Applets will block cross-domain requests.

So, in general, it shouldn't be possible to make a CSRF attack to a resource that supports PUT/DELETE verbs.

That said, the world isn't perfect. There may be several ways in which such an attack can be made possible :

  1. Web Frameworks such as Rails have support for "pseudo method". If you put a hidden field called _method, set its value to PUT or DELETE, and then submit a GET or POST request, it will override the HTTP Verb. This is a way to support PUT or DELETE from browser forms. If you are using such a framework, you will have to protect yourself from CSRF using standard techniques

  2. You may accidentally setup a lax response headers for CORS on your server. This would allow arbitrary websites to make PUT and DELETE requests.

  3. At some point, HTML5 had planned to include support for PUT and DELETE in HTML Forms. But later, they removed that support. There is no guarantee that it won't be added later. Some browsers may actually have support for these verbs, and that can work against you.

  4. There may just be a bug in some browser plugin that could allow the attacker to make PUT/DELETE requests.

In short, I would recommend protecting your resources even if they only support PUT and DELETE methods.