[Owasp-leaders] CSRF Cheating

Jim Manico jim.manico at owasp.org
Sat Jan 26 09:02:22 UTC 2013


I'm just not 100% sure what we want to say to developers if we want a
"cheat" type 1 or 2 page document.

I'm pretty sure we just want to show how to enable CSRF protection in
modern frameworks, that seems critical to me.

We probably also want to discuss token synchronizer for legacy frameworks.

That alone may enough. It's easy to be verbose •cough• but it's
difficult to be concise and clear regarding complex technical topics
like this.

Can we start with an outline before you get too deep into this, Abbas?

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

On Jan 25, 2013, at 8:43 PM, Abbas Naderi <abbas.naderi at owasp.org> wrote:

> Hello,
> I'm on to this but I think some code samples are required first. If you give me a month I think something good will happen.
> -Abbas
> On ۷ بهمن ۱۳۹۱, at ۶:۱۹, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Hello folks,
>>
>> I'd like to see the current CSRF Prevention cheat sheet reviewed and revamped. I think it needs a bit more brevity and some technical cleanup.
>>
>> Does anyone here with expertise in CSRF defense care to take this on?
>>
>> I think we want to discuss the tradeoff between token synchronizer, token synchronizer per request, and double-submit cookie. We should also discuss re-authentication here.
>>
>> Ideally, someone who understands deeply how the different frameworks handle CSRF would be helpful.
>>
>> Any takers?
>>
>> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
>>
>> Aloha,
>> Jim Manico
>> @Manicode
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list