[Owasp-leaders] CSRF Password Change Function

Carlos Sagrero carlos.sagrero at owasp.org
Fri Mar 17 01:24:48 UTC 2017


Hello, a few hours ago I had a discussion with several of my co-workers (all
of them are Application Security consultant) about whether in a password
change function is valid to consider the current password as a anti-CSRF
control.

There is an interesting point that was the main discussion point, at the
end the current password is not a control to avoid CSRF.

What do you think about it? It is required to have a specific control to
CSRF?

Best regards.

-- 

*Carlos Isaac Sagrero Campos*

*OWASP Mexico City*

[image: Inline image 1]

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Libre
de virus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170316/7c59d7cc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44430 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170316/7c59d7cc/attachment-0001.png>


More information about the OWASP-Leaders mailing list