[ OWASP - Montreal ] [ OWASP - Montréal ] XSFR/CSFR testing difficulty level

Benoit Guerette benoit.guerette at gmail.com
Sun Nov 30 20:35:48 EST 2008

I found an interesting point on the OWASP top ten, telling that code
review is the best way to find XSRF.

Is it common to see a pen tester doing code review? Finding a pen
tester doing network pentest + webapps pentest + code review, I guess
it is not common.

Automated approaches: Few automated Automated scanners can detect CSRF
vulnerabilities today, even though CSRF detection can be somewhat
automated given a sufficiently capable application scanning
engines.engine. However, if your application scanner picks up a
cross-site scripting vulnerability and you have no anti-CSRF
protections, you are very likely to be at risk from pre-canned CSRF

Manual approaches: Penetration testing is a quick way to verify that
CSRF protection is in place. To verify that the mechanism is strong
and properly implemented, checking the code is the most efficient
course of action.

More information about the Owasp-montreal mailing list