[Webappsec] blocking CSRF attacks
jim at manico.net
Tue Dec 18 03:49:33 EST 2007
But if you create standard form keys AND navigation session keys right
from the point of a successful login, even stored CSRF from a secondary
website will be detected.
I talked about this theory here; it's just very complex to code and
violates KISS pretty badly.
> On Dec 18, 2007, at 9:29 AM, Ray Foo wrote:
>> Correct me if I'm wrong: I think if the token can be retrieved from
>> page flow and their tokens using JS also.
> Ah! Spot on. Ignore my comment.
> Webappsec mailing list
> Webappsec at lists.owasp.org
VP Software Engineering, Codemagi Inc.
Application Security Instructor, Aspect Security
jim at codemagi.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Webappsec