Merge pull request yiisoft#8369 from SilverFire/patch-1

Updated guide/security-best-practices [skip ci]
yomexzo · May 12, 2015 · 63e552f · 63e552f
2 parents c5ceb53 + 9f1a0ae
commit 63e552f
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/docs/guide/security-best-practices.md b/docs/guide/security-best-practices.md
@@ -139,10 +139,9 @@ from a user browser are made by the user himself. It could be false.
 For example, `an.example.com` website has `/logout` URL that, when accessed using a simple GET, logs user out. As long
 as it's requested by the user itself everything is OK but one day bad guys are somehow posting
 `<img src="http://an.example.com/logout">` on a forum user visits frequently. Browser doesn't make any difference between
-requesting an image or requesting a page so when user opens a page with such `img` tag he's being logged out from
-`an.example.com`.
+requesting an image or requesting a page so when user opens a page with such `img` tag, the browser will send the GET request to that URL, and the user will be logged out from `an.example.com`. 
 
-That's the basic idea. One can say that logging user out is nothing serious. Well, sending POST isn't much trickier.
+That's the basic idea. One can say that logging user out is nothing serious, but bad guys can do much more, using this idea. Imagine that some website has an URL `http://an.example.com/purse/transfer?to=anotherUser&amout=2000`. Accessing it using GET request, causes transfer of $2000 from authorized user account to user `anotherUser`. We know, that browser will always send GET request to load an image, so we can modify code to accept only POST requests on that URL. Unfortunately, this will not save us, because an attacker can put some JavaScript code instead of `<img>` tag, which allows to send POST requests on that URL.
 
 In order to avoid CSRF you should always: