[Owasp-csrfprotector] protection for GET requests

Minhaz A V minhazav at gmail.com
Sun May 25 22:34:23 UTC 2014


Abbas, I couldn't get you?



Minhaz,
minhaz.cistoner.org || cistoner.org


On Mon, May 26, 2014 at 3:59 AM, Abbas Naderi <abiusx at owasp.org> wrote:

> A list is not the best idea, but a function that returns true or false and
> is implemented by the developer is a totally different story!
> -A
>      ______________________________________________________________
> *Notice:* This message is *digitally signed*, its *source* and *integrity* are
> verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On May 25, 2014, at 6:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
> What if we keep a list of specific urls for which developer want to check
> for CSRF validation in GET requests, this would create no false positive or
> false negative. As GET requests to only certain urls can be vulnerable. If
> developer can identify this, we can map every host url in request, with
> list the developer has maintained and provide validation for those only.
> But this will complicate the logic to certain extend, but we can implement
> this!
>
>
> Great idea, I like it.
> - Jim
>
>
>
> Minhaz,
> minhaz.cistoner.org || cistoner.org
>
> _______________________________________________
> Owasp-csrfprotector mailing list
> Owasp-csrfprotector at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector
>
> _______________________________________________
> Owasp-csrfprotector mailing list
> Owasp-csrfprotector at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfprotector/attachments/20140526/9b65dea1/attachment-0001.html>


More information about the Owasp-csrfprotector mailing list