[Owasp-csrfguard] Browser sends request before token injection

Smith Family smitty_in_vancouver at yahoo.com
Tue Aug 7 13:34:21 UTC 2012


I ran into the issue previously posted about:
'browser sends request before token is injected into element'

And I saw back in March 2011 this was being looked into for a possible solution.

Has there been any progress on this or any solutions anyone has implemented?  Typically the CSRFGuard JS
completes before the user clicks anything, but it's not too hard to beat it when the network is laggy
or if automated scripting is used like Selenium.

I'm looking into the idea of overriding onclick for the page and caching the event until after the
DOM has been processed and then firing it.  Though I have a feeling this could introduce other issues.

Thanks,
Smitty
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20120807/ffabd9bc/attachment.html>


More information about the Owasp-csrfguard mailing list