[WEB SECURITY] How are you tackling CSRF?

David Rajchenbach-Teller David.Teller at mlstate.com
Sat Apr 23 06:13:20 EDT 2011


There's actually also a Programming Language theory related to CSRF, which we've been investigating: Types and Effects.
With an appropriate programming language (Java could be sufficient, with annotations) and a good library, it is quite feasible to have the compiler (or an external audit tool) determine automatically if the simple fact of accessing a given resource while authenticated will trigger behavior that should only take place by explicit demand of a user.

Cheers,
 David

-- 
  David Rajchenbach-Teller
  CSO, MLstate

On Apr 23, 2011, at 5:19 AM, Arian J. Evans wrote:

> Tasos - thank you for explaining how you test for this!
> 
> We actually cover this testing paradigm in the article. We find it to be
> littered with so many false positives that business owners wind up
> ignoring the overall results, as we discuss in the article. There are
> other drawbacks as well from what we have observed.
> 
> What have you found in terms of response to your results so far?
> 
> ---
> Arian Evans
> Sybarite Software Security Scanning Savant
> 





More information about the websecurity mailing list