[ OWASP - Montréal ]XSFR/CSFR testing difficulty level

Sean Coates sean at caedmon.net
Thu Nov 27 23:14:54 EST 2008


> One thing that is important to mention too is that XSRF flaws are  
> very difficult to mitigate. (At least, much more difficult than..  
> SQLi)

I don't think it's more difficult to mitigate than SQL Injection. You  
just need to store a token on the server side, and provide the token  
(or a hash based on this token) in each form that can perform any sort  
of "dangerous" action. The provided token must be checked before  
performing the action, and it must be user- and session-specific.

The difficult part is remembering to put it in each action/form, but  
that's also true of SQL Injection prevention.

Chris Shiflett (my boss) has a good article on CSRF, here: http://shiflett.org/articles/cross-site-request-forgeries 
  (it originally ran in php|architect's Security Corner sometime in  
2004).

S



More information about the Owasp-montreal mailing list