[WEB SECURITY] How are you tackling CSRF?
David.Teller at mlstate.com
Sat Apr 23 06:13:20 EDT 2011
There's actually also a Programming Language theory related to CSRF, which we've been investigating: Types and Effects.
With an appropriate programming language (Java could be sufficient, with annotations) and a good library, it is quite feasible to have the compiler (or an external audit tool) determine automatically if the simple fact of accessing a given resource while authenticated will trigger behavior that should only take place by explicit demand of a user.
On Apr 23, 2011, at 5:19 AM, Arian J. Evans wrote:
> Tasos - thank you for explaining how you test for this!
> We actually cover this testing paradigm in the article. We find it to be
> littered with so many false positives that business owners wind up
> ignoring the overall results, as we discuss in the article. There are
> other drawbacks as well from what we have observed.
> What have you found in terms of response to your results so far?
> Arian Evans
> Sybarite Software Security Scanning Savant
More information about the websecurity