[WEB SECURITY] CSRF and Header Forging - your thoughts needed

nilesh kumar nileshkumar83 at yahoo.co.in
Fri May 28 07:21:46 EDT 2010


Hi Paul,

I agree with you. Adding random token with every page 
will add to server load also. We also recommend our developers to 
generate a random no. which is a valid for that particular session only.
 But it depends on criticality of application also.


Thanks & Regards,

Nilesh Kumar,

Engineer-Security Management,

Honeywell Technology Solutions,India

--- On Fri, 28/5/10, nilesh kumar <nileshkumar83 at yahoo.co.in> wrote:

From: nilesh kumar <nileshkumar83 at yahoo.co.in>
Subject: Re: [WEB SECURITY] CSRF and Header Forging - your thoughts needed
To: "Paul Johnston" <paul.johnston at pentest.co.uk>
Date: Friday, 28 May, 2010, 4:45 PM

Hi Paul,

I agree with you. Adding random token with every page will add to server load also. We also recommend our developers to generate a random no. which is a valid for that particular session only. But it depends on criticality of application also.


Thanks & Regards,

Nilesh Kumar,

Engineer-Security Management,

Honeywell Technology Solutions, India

--- On Mon, 17/5/10, Paul Johnston <paul.johnston at pentest.co.uk> wrote:

From: Paul Johnston <paul.johnston at pentest.co.uk>
Subject: Re: [WEB SECURITY] CSRF and Header Forging - your thoughts needed
To: websecurity at webappsec.org
Date: Monday, 17 May, 2010, 12:25 AM

Hi,

Is there any need to have a different token on each page? I don't think
so. I've always recommended that the anti-CSRF token be generated at the
same time as the session ID, and remain constant throughout the session.
Sure, changing it may add a little security, but I don't think changing
is necessary, not at all.

Paul

-- 
Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited
 - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100528/34e3afd6/attachment.html>


More information about the websecurity mailing list