[Owasp-leaders] Top Ten Cheater!

Jim Manico jim.manico at owasp.org
Sat Mar 31 12:42:27 UTC 2012


Well said, removing that right now.

Any other feedback? Send it my way!

I took Andrew's PDF and wikified it, it's a good start but need work. I 
will continue to tweak the content over the next week.

Thanks Erlend!
-- 
Jim Manico

Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host

jim at owasp.org
www.owasp.org


> As a developer this puzzles me a bit. What is the purpose of avoiding 
> hidden fields and custom headers? This is very likely the way people 
> submit CSRFtokens. Especially in the context of xhr requests custom 
> headers is by far the best option for submitting a csrftoken allowing 
> you to apply the defense as a simple filter. Loads of frameworks 
> (ASP.NET likely the most prominent) use hidden fields for view state.
>
> Erlend
> ------------------------------------------------------------------------
> From: Jim Manico
> Sent: 31.03.2012 11:36
> To: owasp-leaders at lists.owasp.org; Andrew van der Stock
> Subject: [Owasp-leaders] Top Ten Cheater!
>
> OWASP Leaders,
>
> Andrew van der Stock was kind enough to donate his OWASP Top Ten
> Developer cheatsheet to the foundation recently.
>
> Check this puppy out!
>
> https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
>
> I'll be enhancing and linking this bad boy up over the next few weeks.
> And advice and additional contributions are appreciated.
>
> Thanks all!
>
> -- 
> Jim Manico
>
> Connections Committee Chair
> Cheatsheet Series Product Manager
> OWASP Podcast Producer/Host
>
> jim at owasp.org
> www.owasp.org <http://www.owasp.org>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120331/6b2e1938/attachment.html>


More information about the OWASP-Leaders mailing list