In CSRF-3 use POST instead of GET to prevent solving the assignment j…

…ust by opening the URL in a new tab
hazanasec · Jul 12, 2019 · 97f6654 · 97f6654
1 parent 27125ac
commit 97f6654
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetFlag.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetFlag.java
@@ -27,7 +27,7 @@ public class CSRFGetFlag extends Endpoint {
     @Autowired
     private PluginMessages pluginMessages;
 
-    @RequestMapping(produces = {"application/json"}, method = RequestMethod.GET)
+    @RequestMapping(produces = {"application/json"}, method = RequestMethod.POST)
     @ResponseBody
     public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
 

diff --git a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html b/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
@@ -14,7 +14,7 @@
     <div class="adoc-content" th:replace="doc:CSRF_Get_Flag.adoc"></div>
 
     <form accept-charset="UNKNOWN" id="basic-csrf-get"
-          method="GET" name="form1"
+          method="POST" name="form1"
           target="_blank"
           successCallback=""
           action="/WebGoat/csrf/basic-get-flag"