[Owasp-csrfprotector] protection for GET requests

Abbas Naderi abiusx at owasp.org
Sun May 25 22:35:58 UTC 2014


What if the application uses dynamic URLs? What if it has so many URLs that need to be verified, and only one not to be verified?

We can expect the develoepr to create a function that receives a URL, and returns true if it needs to be CSRF protected and false otherwise, and then use that function to decide what to do.

A list can easily be implemented using that as well.
-A
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On May 25, 2014, at 6:34 PM, Minhaz A V <minhazav at gmail.com> wrote:

> Abbas, I couldn't get you?
> 
> 
> 
> Minhaz, 
> minhaz.cistoner.org || cistoner.org
> 
> 
> On Mon, May 26, 2014 at 3:59 AM, Abbas Naderi <abiusx at owasp.org> wrote:
> A list is not the best idea, but a function that returns true or false and is implemented by the developer is a totally different story! 
> -A
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
> 
> On May 25, 2014, at 6:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
> 
>> What if we keep a list of specific urls for which developer want to check for CSRF validation in GET requests, this would create no false positive or false negative. As GET requests to only certain urls can be vulnerable. If developer can identify this, we can map every host url in request, with list the developer has maintained and provide validation for those only. But this will complicate the logic to certain extend, but we can implement this!
>> 
>> 
>> Great idea, I like it.
>> - Jim
>> 
>> 
>>> 
>>> Minhaz, 
>>> minhaz.cistoner.org || cistoner.org
>>> _______________________________________________
>>> Owasp-csrfprotector mailing list
>>> Owasp-csrfprotector at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector
>> _______________________________________________
>> Owasp-csrfprotector mailing list
>> Owasp-csrfprotector at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfprotector/attachments/20140525/d7c62615/attachment.html>


More information about the Owasp-csrfprotector mailing list