[Owasp-csrfprotector] protection for GET requests
Minhaz A V
minhazav at gmail.com
Sun May 25 22:14:59 UTC 2014
We had our discussions on whether we should support CSRF protection for GET
requests. And currently we are providing a configurable option for
developers to enable support for GET, and validation will be done for those
requests that contain query parameters with default action be (strip
cookies and forward the request).
We cannot enable validation for all GET requests directly, as this will
lead to many false negatives. But GET based CSRF attacks can be as
dangerous as well.
What if we keep a list of specific urls for which developer want to check
for CSRF validation in GET requests, this would create no false positive or
false negative. As GET requests to only certain urls can be vulnerable. If
developer can identify this, we can map every host url in request, with
list the developer has maintained and provide validation for those only.
But this will complicate the logic to certain extend, but we can implement
minhaz.cistoner.org || cistoner.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-csrfprotector