[Owasp-leaders] CSRF

Giorgio Fedon giorgio.fedon at owasp.org
Wed May 29 07:49:53 UTC 2013


Hi all,

This is my opinion

CSRF attacks are "blind" type of attacks, are effective if cause a
change of state.
Typically CUD operations, create update delete and not read operations
are subjected to CSRF.
Read operations ca be accessed sometimes in a way similar to CSRF, but
they need other issues to be abused like Javascript Hijacking was one of
those.
Login operations are needed to authenticate the user, and after a
correct login the user changes his state from anonymous to
authenticated, and that change of state is typically written in db or to
some applicative storage.



On 05/29/2013 01:53 AM, Dave Wichers wrote:
> It deserves being explained in the OWASP article on CSRF. This is a bit too
> detailed for the 1 page we have on each Top 10 item in my opinion.
>
> -Dave
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
> Sent: Tuesday, May 28, 2013 6:28 PM
> To: Gunnar Peterson
> Cc: OWASP Leaders
> Subject: Re: [Owasp-leaders] CSRF
>
> Is this explained properly in the new top 10?? I don't recall seeing this.
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 28 May 2013, at 23:24, Gunnar Peterson <gunnar at arctecgroup.net> wrote:
>
>> three things come to mind
>>
>> 1. if you have a large enough pool of users and want to brute force
>>
>> 2. or simply try and lock out a bunch of users, and force them to a weaker
> scheme (questions) that you can wedge into
>> 3. if the site caches creds somewhere and you can reinstantiate that way
>>
>> -gunnar
>>
>>
>>
>> On May 28, 2013, at 5:17 PM, Eoin wrote:
>>
>>> Does CSRF ing a login page make sense to anyone :)
>>>
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


-- 
| Giorgio Fedon, Owasp Italy
|
| In Input Validation 
|            and Output Sanitization, 
|                                   We Trust
--
| Web: https://www.owasp.org/index.php/Italy
|_____________________________________________.



More information about the OWASP-Leaders mailing list