[Owasp-leaders] Protecting Django apps from CSRF

Gregory Disney gregory.disney at owasp.org
Thu May 16 16:06:22 UTC 2013


-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Issue with jQuery is it is
simple to override by net console;
javascript:document.cookie="csrf_token=ID"; cookieValue =
decodeURIComponent(document.cookie.substring(name.lenght + 1)); crsftoken =
document.cookie; -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13
(GNU/Linux)
iQEcBAEBAgAGBQJRlQP+AAoJEHJ6fv5JwWqhQZUH/jNY8aJmDYAdrel4L3GLi/mc
Q/NA5CuV/gLvQDk4XWZdQtYjny4tNJw9mVRB58ABqShEhx+it1gzHc9DboJIZhVw
XXwFTQ+SgJrGPH3ipbcVomBfw1Gy1XK1M6tu32zhVcnX4CMC/ABrxK/PrnaErOKk
fGY+rq8Mq0hmaBtLs1Gc6I0UvX/DLfwsuibcxmpfLjkGm5rQ+zjmCmgsI6PWITUg
PDSMOayxDj4TnsWNsbzdeZWW/AE67sA7ba887ruqy8exbFfM5M5LwRq9S8rw1x1A
peF5DpuZ1QUmHcN1yrCLQqgP9PqY1KRoVCGn5Iuu3uEOws4ymggclrgR4WmaQ9I= =qhFq
-----END PGP SIGNATURE-----


On Thu, May 16, 2013 at 11:53 AM, Matt Tesauro <matt.tesauro at owasp.org>wrote:

> While I'm up to my ears with Python at Rackspace & with OpenStack, I've
> not used Django for any of the code I've written recently - or actually
> ever.
>
> I'm got an  app which is basically using the Django CSRF protection as
> outlined here:
> https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
> for both "normal" web forms as well as AJAX calls.
>
> I'm curious about anyone's experience with the Django CSRF protection, how
> well it works and any "gotchas", weakness or other issues with Django's
> CSRF protection.
>
> List or direct replies appreciated.
>
> Thanks in advance.
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130516/32a24b7f/attachment.html>


More information about the OWASP-Leaders mailing list