[Owasp-csrfprotector] protection for GET requests

Minhaz A V minhazav at gmail.com
Sun May 25 22:45:43 UTC 2014


Yeah this is a better idea, rather than implementing the logic directly
into the validation code,
we can provide a function which can be overridden by user defined function.
In basic method we can provide mechanism that is in our scope i.e to map
the current request url with all mentioned in array of urls to be validated.


Minhaz,
minhaz.cistoner.org || cistoner.org


On Mon, May 26, 2014 at 4:05 AM, Abbas Naderi <abiusx at owasp.org> wrote:

> What if the application uses dynamic URLs? What if it has so many URLs
> that need to be verified, and only one not to be verified?
>
> We can expect the develoepr to create a function that receives a URL, and
> returns true if it needs to be CSRF protected and false otherwise, and then
> use that function to decide what to do.
>
> A list can easily be implemented using that as well.
> -A
>      ______________________________________________________________
> *Notice:* This message is *digitally signed*, its *source* and *integrity* are
> verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On May 25, 2014, at 6:34 PM, Minhaz A V <minhazav at gmail.com> wrote:
>
> Abbas, I couldn't get you?
>
>
>
> Minhaz,
> minhaz.cistoner.org || cistoner.org
>
>
> On Mon, May 26, 2014 at 3:59 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> A list is not the best idea, but a function that returns true or false
>> and is implemented by the developer is a totally different story!
>> -A
>>      ______________________________________________________________
>> *Notice:* This message is *digitally signed*, its *source* and
>> *integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display
>> a file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com <http://abiusx.com/>
>>
>> On May 25, 2014, at 6:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>> What if we keep a list of specific urls for which developer want to check
>> for CSRF validation in GET requests, this would create no false positive or
>> false negative. As GET requests to only certain urls can be vulnerable. If
>> developer can identify this, we can map every host url in request, with
>> list the developer has maintained and provide validation for those only.
>> But this will complicate the logic to certain extend, but we can implement
>> this!
>>
>>
>> Great idea, I like it.
>> - Jim
>>
>>
>>
>> Minhaz,
>> minhaz.cistoner.org || cistoner.org
>>
>> _______________________________________________
>> Owasp-csrfprotector mailing list
>> Owasp-csrfprotector at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector
>>
>> _______________________________________________
>> Owasp-csrfprotector mailing list
>> Owasp-csrfprotector at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfprotector/attachments/20140526/44ba3dc9/attachment-0001.html>


More information about the Owasp-csrfprotector mailing list