[WEB SECURITY] CSRF and Header Forging - your thoughts needed

Michael Coates michael.coates at owasp.org
Fri May 14 12:50:56 EDT 2010


All,

I'm looking for thoughts on CSRF attacks that result in forged headers
from the victim user to the target site. Are there modern attacks that
work here? If not, could we implement a CSRF protection that uses a
custom header and avoid the cost of computing random numbers?  This
sounds very strange at first since we are accustomed to the standard
random CSRF token approach.  However, please take a look and contribute
to the comment thread:

http://michael-coates.blogspot.com/2010/05/csrf-attacks-and-forged-headers.html 


(Several comments on the article already, I encourage you to post your
comments there for everyone to read)

Thanks!

-- 
Michael Coates
http://michael-coates.blogspot.com
OWASP Member & Contributor

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list