[Owasp-leaders] CSRF Cheating

Chris Schmidt chris.schmidt at aspectsecurity.com
Mon Jan 28 04:13:02 UTC 2013


Illustrating a pattern for CSRF protection of AJAX enabled applications
may be a good addition to this.

On 1/26/13 2:02 AM, "Jim Manico" <jim.manico at owasp.org> wrote:

>I'm just not 100% sure what we want to say to developers if we want a
>"cheat" type 1 or 2 page document.
>
>I'm pretty sure we just want to show how to enable CSRF protection in
>modern frameworks, that seems critical to me.
>
>We probably also want to discuss token synchronizer for legacy frameworks.
>
>That alone may enough. It's easy to be verbose •cough• but it's
>difficult to be concise and clear regarding complex technical topics
>like this.
>
>Can we start with an outline before you get too deep into this, Abbas?
>
>Aloha,
>--
>Jim Manico
>@Manicode
>(808) 652-3805
>
>On Jan 25, 2013, at 8:43 PM, Abbas Naderi <abbas.naderi at owasp.org> wrote:
>
>> Hello,
>> I'm on to this but I think some code samples are required first. If you
>>give me a month I think something good will happen.
>> -Abbas
>> On ۷ بهمن ۱۳۹۱, at ۶:۱۹, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> Hello folks,
>>>
>>> I'd like to see the current CSRF Prevention cheat sheet reviewed and
>>>revamped. I think it needs a bit more brevity and some technical
>>>cleanup.
>>>
>>> Does anyone here with expertise in CSRF defense care to take this on?
>>>
>>> I think we want to discuss the tradeoff between token synchronizer,
>>>token synchronizer per request, and double-submit cookie. We should
>>>also discuss re-authentication here.
>>>
>>> Ideally, someone who understands deeply how the different frameworks
>>>handle CSRF would be helpful.
>>>
>>> Any takers?
>>>
>>> 
>>>https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Preven
>>>tion_Cheat_Sheet
>>>
>>> Aloha,
>>> Jim Manico
>>> @Manicode
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>_______________________________________________
>OWASP-Leaders mailing list
>OWASP-Leaders at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list