[Owasp-csrfguard] OWASP CSRF Token Hijack Fix

Sriram Krishnan causalbody at gmail.com
Thu Nov 9 22:18:30 UTC 2017


Hi,
I am looking to incorporate OWASP CSRF 3.x into my webapp. I have some
generic questions, I hope you can help.
Firstly, thanks to you for all the existing documentation and code
contribution on this project.

Question 1
I've posted this question to stackoverflow, basically trying to get some
insights on how the token hijacking could've been possible without the fix
<https://github.com/aramrami/OWASP-CSRFGuard/commit/a494d4d7d7e9814fa0feaabf81f8264d10165ffb>.
I am imagining it might
be only through an existing XSS exploit, but not sure

https://stackoverflow.com/questions/47189102/owasp-csrf-token-hijacking-fix

Question 2
Are there any obvious security flaws in storing the token value (perhaps in
an encrypted form) in a session cookie instead of http session. I want to
use a centralized
lookup for token, putting in session will make that tricky.

Please give me some directions here.

Thanks,
Sriram K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20171109/3353d61b/attachment.html>


More information about the Owasp-csrfguard mailing list