[Owasp-leaders] CSRF Cheating

Abbas Naderi abbas.naderi at owasp.org
Sat Jan 26 09:06:54 UTC 2013


Hey
I think CSRF is a deep vulnerability and people need to understand it to effectively mitigate it. And I strongly believe that even if they understand it, they just need to copy code snippets. Why?

Because of the many emails I receive about PHP CSRFguard and lots of blog posts on it I have seen around.

I have mentioned thrice on the page not to copy the code, and have separated it to be un copy-able but still people copy it and flaw their systems.

Check discussions page on PHP CSRFguard for more info!

I'm also a fan of precise concise solutions but in case of CSRF, I know non.
-Abbas
On ۷ بهمن ۱۳۹۱, at ۱۲:۳۲, Jim Manico <jim.manico at owasp.org> wrote:

> I'm just not 100% sure what we want to say to developers if we want a
> "cheat" type 1 or 2 page document.
> 
> I'm pretty sure we just want to show how to enable CSRF protection in
> modern frameworks, that seems critical to me.
> 
> We probably also want to discuss token synchronizer for legacy frameworks.
> 
> That alone may enough. It's easy to be verbose •cough• but it's
> difficult to be concise and clear regarding complex technical topics
> like this.
> 
> Can we start with an outline before you get too deep into this, Abbas?
> 
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> 
> On Jan 25, 2013, at 8:43 PM, Abbas Naderi <abbas.naderi at owasp.org> wrote:
> 
>> Hello,
>> I'm on to this but I think some code samples are required first. If you give me a month I think something good will happen.
>> -Abbas
>> On ۷ بهمن ۱۳۹۱, at ۶:۱۹, Jim Manico <jim.manico at owasp.org> wrote:
>> 
>>> Hello folks,
>>> 
>>> I'd like to see the current CSRF Prevention cheat sheet reviewed and revamped. I think it needs a bit more brevity and some technical cleanup.
>>> 
>>> Does anyone here with expertise in CSRF defense care to take this on?
>>> 
>>> I think we want to discuss the tradeoff between token synchronizer, token synchronizer per request, and double-submit cookie. We should also discuss re-authentication here.
>>> 
>>> Ideally, someone who understands deeply how the different frameworks handle CSRF would be helpful.
>>> 
>>> Any takers?
>>> 
>>> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
>>> 
>>> Aloha,
>>> Jim Manico
>>> @Manicode
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130126/950fd574/attachment.bin>


More information about the OWASP-Leaders mailing list