[Owasp-leaders] CSRF Password Change Function

Minhaz A V minhazav at gmail.com
Fri Mar 17 07:49:59 UTC 2017


Yes, current password can be used as anti CSRF Token, actually if there old
password is needed for changing password there is no need for anti CSRF
logic there, as it's much like login and cookies doesn't play much role
except for username. However if you were to use anti CSRF method everywhere
(let's say on POST request) you'd go for homogeneous method.

----------------------------------------------------------------------------
Kind Regards,
Minhaz
minhazav.xyz | Blog <http://blog.minhazav.xyz> | Projects
<http://github.com/mebjas> | LinkedIn <https://in.linkedin.com/in/minhazav>

On Fri, Mar 17, 2017 at 7:15 AM, Ralph Durkee <rd at rd1.net> wrote:

> I agree that requiring the current password is sufficient for anti-CSRF.
> If the attacker could provide the current password, then there would be no
> need for the attack.  Was there logic provided as to why the current
> password would not be sufficient?
>
> -- Ralph Durkee, CISSP, GXPN, GPEN, GCIH, GSEC, GSNA, GCIA, C|EH
> Principal Security Consultant
>
>
>
> On 03/16/2017 09:24 PM, Carlos Sagrero wrote:
>
> Hello, a few hours ago I had a discussion with several of my co-workers (all
> of them are Application Security consultant) about whether in a password
> change function is valid to consider the current password as a anti-CSRF
> control.
>
> There is an interesting point that was the main discussion point, at the
> end the current password is not a control to avoid CSRF.
>
> What do you think about it? It is required to have a specific control to
> CSRF?
>
> Best regards.
>
> --
>
> *Carlos Isaac Sagrero Campos*
>
> *OWASP Mexico City*
>
> [image: Inline image 1]
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Libre
> de virus. www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170317/315ba3ce/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 44430 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170317/315ba3ce/attachment-0001.png>


More information about the OWASP-Leaders mailing list