Securing the "Start New Topic" action
If we have followed the methodology presented earlier we should now have a list of user actions along with information about what gets sent to the server when each action is taken by the user. Now that we have written rules to secure the request headers and cookies, we need to do the same for each individual action.
Let's look at how to secure the YaBB post action which is used when a user wants to start a new topic. When a user accesses the URI for this action, he is presented with a form to create a new topic.
We know from our previous investigation that the URI sent by the web browser when the user clicks on the "Start new topic" button will be of the form /yabb/YaBB.pl?board=general;action=post;title=StartNewTopic. We thus have the following request arguments to take into consideration:
|
Argument |
Description |
Remarks |
|---|---|---|
|
board
|
Name of the board in which to create a new thread |
Should be a valid board name consisting only of characters such as letters... |
