SHIM Security Improvements

I made some security improvements in SHIM.

The other day I noticed that SHIM was vulnerable to CSRF attacks, so I decided to fix that. To do this I used nosurf. It ended up being pretty simple: just plug in nosurf as middleware for your requests, and then plug the token values in a hidden <input> element somewhere inside your <form>.

While implementing this, I also saw that SHIM’s Delete Post page had a security vulnerability: it didn’t follow the HTTP specification. How? SHIM was using a GET request to delete a page, which violates GET’s idempotent properties. But wait, how is a semantic bug a security vulnerability? How did this happen?

Why are such little things important? Do you really need to worry about the minute technical details of the HTTP protocol when building a web application? Yes. Yes you do.

It matters because these little things can have security implications that you may not have foreseen. Like opening your garage door:

While this security flaw probably didn’t affect anyone, it possibly could have.

For example a simple request to https://www.camconn[.]cc/secret/path/to/shim/delete/<post base64>?confirm=yes could have given an attacker the ability to delete arbitrary pages on my website. That isn’t totally pwning me, but that is still pretty bad.

Anywho, SHIM has been updated. Patch your installations.