[ OWASP - Montréal ]XSFR/CSFR testing difficulty level
sean at caedmon.net
Thu Nov 27 23:00:30 EST 2008
> But i have to agree with you. Most XSRF are difficult to exploit.
Often difficult to identify, but once identified, not hard to exploit.
> A good way to test the "xsrf potential", try to send POST requests
> as GET. For example, if your POST is
> POST /?password=mypassword&user=toto then you may want to try GET
> Some programmer (usually the slightly less experienced) forward the
> post to a get. Of course, this is a great XSRF potential. (Imagine
> an image called
This is only slightly harder to exploit when the action is only
face it, almost everyone does). Accepting only POST is no safer than
GET in this case.
More information about the Owasp-montreal