[Owasp-csrfprotector] protection for GET requests

Abbas Naderi abiusx at owasp.org
Sun May 25 22:29:58 UTC 2014


A list is not the best idea, but a function that returns true or false and is implemented by the developer is a totally different story! 
-A
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On May 25, 2014, at 6:25 PM, Jim Manico <jim.manico at owasp.org> wrote:

> What if we keep a list of specific urls for which developer want to check for CSRF validation in GET requests, this would create no false positive or false negative. As GET requests to only certain urls can be vulnerable. If developer can identify this, we can map every host url in request, with list the developer has maintained and provide validation for those only. But this will complicate the logic to certain extend, but we can implement this!
> 
> 
> Great idea, I like it.
> - Jim
> 
> 
>> 
>> Minhaz, 
>> minhaz.cistoner.org || cistoner.org
>> _______________________________________________
>> Owasp-csrfprotector mailing list
>> Owasp-csrfprotector at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector
> _______________________________________________
> Owasp-csrfprotector mailing list
> Owasp-csrfprotector at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfprotector/attachments/20140525/3ca195a3/attachment.html>


More information about the Owasp-csrfprotector mailing list