[Owasp-leaders] CSRF Password Change Function

Ralph Durkee rd at rd1.net
Fri Mar 17 01:45:06 UTC 2017


I agree that requiring the current password is sufficient for anti-CSRF. 
If the attacker could provide the current password, then there would be 
no need for the attack.  Was there logic provided as to why the current 
password would not be sufficient?

-- Ralph Durkee, CISSP, GXPN, GPEN, GCIH, GSEC, GSNA, GCIA, C|EH
Principal Security Consultant


On 03/16/2017 09:24 PM, Carlos Sagrero wrote:
> Hello, a few hours ago I had a discussion with several of my 
> co-workers (all of them are Application Security consultant) about 
> whether in a password change function is valid to consider the current 
> password as a anti-CSRF control.
>
> There is an interesting point that was the main discussion point, at 
> the end the current password is not a control to avoid CSRF.
>
> What do you think about it? It is required to have a specific control 
> to CSRF?
>
> Best regards.
>
> -- 
>
> *Carlos Isaac Sagrero Campos*
>
> *OWASP Mexico City*
>
> Inline image 1
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> 
> 	Libre de virus. www.avast.com 
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> 
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170316/e3441ad7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 44430 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170316/e3441ad7/attachment-0001.png>


More information about the OWASP-Leaders mailing list