[Webappsec] blocking CSRF attacks
Jim Manico
jim at manico.net
Tue Dec 18 03:49:33 EST 2007
Right,
But if you create standard form keys AND navigation session keys right
from the point of a successful login, even stored CSRF from a secondary
website will be detected.
I talked about this theory here; it's just very complex to code and
violates KISS pretty badly.
http://manicode.blogspot.com/2007_10_01_archive.html
- Jim
> On Dec 18, 2007, at 9:29 AM, Ray Foo wrote:
>
>
>> Correct me if I'm wrong: I think if the token can be retrieved from
>> the form via JavaScript, it would be possible to retrieve/post the
>> page flow and their tokens using JS also.
>>
>
> Ah! Spot on. Ignore my comment.
>
>
> _______________________________________________
> Webappsec mailing list
> Webappsec at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/webappsec
>
>
>
>
--
Best Regards,
Jim Manico
VP Software Engineering, Codemagi Inc.
Application Security Instructor, Aspect Security
jim at codemagi.com
808.652.3805 (c)
484.259.3805 (f)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/webappsec/attachments/20071217/acc35e5a/attachment.html
More information about the Webappsec
mailing list