[Owasp-leaders] Top Ten Cheater!

Erlend Oftedal Erlend.Oftedal at BEKK.no
Sat Mar 31 10:45:19 UTC 2012

As a developer this puzzles me a bit. What is the purpose of avoiding hidden fields and custom headers? This is very likely the way people submit CSRFtokens. Especially in the context of xhr requests custom headers is by far the best option for submitting a csrftoken allowing you to apply the defense as a simple filter. Loads of frameworks (ASP.NET likely the most prominent) use hidden fields for view state.

From: Jim Manico
Sent: 31.03.2012 11:36
To: owasp-leaders at lists.owasp.org; Andrew van der Stock
Subject: [Owasp-leaders] Top Ten Cheater!

OWASP Leaders,

Andrew van der Stock was kind enough to donate his OWASP Top Ten
Developer cheatsheet to the foundation recently.

Check this puppy out!


I'll be enhancing and linking this bad boy up over the next few weeks.
And advice and additional contributions are appreciated.

Thanks all!

Jim Manico

Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host

jim at owasp.org
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120331/0e8f417a/attachment.html>

More information about the OWASP-Leaders mailing list