[ OWASP - Montréal ]XSFR/CSFR testing difficulty level
sean at caedmon.net
Thu Nov 27 23:14:54 EST 2008
> One thing that is important to mention too is that XSRF flaws are
> very difficult to mitigate. (At least, much more difficult than..
I don't think it's more difficult to mitigate than SQL Injection. You
just need to store a token on the server side, and provide the token
(or a hash based on this token) in each form that can perform any sort
of "dangerous" action. The provided token must be checked before
performing the action, and it must be user- and session-specific.
The difficult part is remembering to put it in each action/form, but
that's also true of SQL Injection prevention.
Chris Shiflett (my boss) has a good article on CSRF, here: http://shiflett.org/articles/cross-site-request-forgeries
(it originally ran in php|architect's Security Corner sometime in
More information about the Owasp-montreal