[ OWASP - Montréal ]XSFR/CSFR testing difficulty level

Laurent Desaulniers laurent.desaulniers at gmail.com
Thu Nov 27 23:04:01 EST 2008

Good point, especially the javascript part.

One thing that is important to mention too is that XSRF flaws are very
difficult to mitigate. (At least, much more difficult than.. SQLi) I have
been told that the OWASP Entreprise Api has a very good tokenizer to prevent
most XSRF although i have not tried it yet.

Did anyone try it?

On Thu, Nov 27, 2008 at 11:00 PM, Sean Coates <sean at caedmon.net> wrote:

> But i have to agree with you. Most XSRF are difficult to exploit.
> Often difficult to identify, but once identified, not hard to exploit.
>  A good way to test the "xsrf potential", try to send POST requests as GET.
>> For example, if your POST is
>> POST /?password=mypassword&user=toto then you may want to try GET
>> password=mypassword&user=toto
>> Some programmer (usually the slightly less experienced) forward the post
>> to a get. Of course, this is a great XSRF potential. (Imagine an image
>> called setpassword=mypasswordicanuse&setemail=myevilhackeremail&confirm=1
> This is only slightly harder to exploit when the action is only available
> via POST, if the browser has JavaScript enabled (and let's face it, almost
> everyone does). Accepting only POST is no safer than GET in this case.
> S

*CONFIDENTIALITÉ* L'information apparaissant dans ce message électronique
est de nature légalement privilégiée et confidentielle. Si ce message vous
est parvenu par erreur et que vous n'êtes pas le destinataire visé, vous
êtes par les présentes avisé que tout usage, copie ou distribution de ce
message est strictement interdit. Vous êtes donc prié de nous informer
immédiatement de cette erreur et de détruire ce message.

*CONFIDENTIALITY* The information in this message is legally privileged and
confidential. In the event of a transmission error and if you are not the
individual or entity mentioned above, you are hereby advised that any use,
copying or reproduction of this document is strictly forbidden. Please
advise us of this error and destroy this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-montreal/attachments/20081127/1ddac11b/attachment-0001.html 

More information about the Owasp-montreal mailing list