[WEB SECURITY] Defeating nonce/token based CSRF protection

Zinho zinho at hackerscenter.com
Thu Apr 17 14:17:43 EDT 2008

You're right Jeroen,
That's why I believe that strong CAPTCHA's are more robust than tokens 
The problem with CAPTCHA's is that they are not always practicable. I've 
worked to fix CSRF problems into Joomla and such new CMS are full of 
ajax features and toggle buttons that are meant to increase usability 
and, at least in the case of CSRF, decrease security.
Another solution would be to ask for further user authentication (login 
again) before performing  "sensitive" actions.
Anyway, in my opinion, there is so little attention to CSRF from web 
developers that every time I see the use of tokens into the web 
application I pen test, it seems a miracle to me.


Webmaster and Founder 

Hackers Center 
Internet Security Portal

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list