[WEB SECURITY] How are you tackling CSRF?

Steven M. Christey coley at rcf-smtp.mitre.org
Sat Apr 23 12:32:08 EDT 2011


Disclaimer: I'm mostly ignorant about automated detection of CSRF.

Just a random thought.  Has anybody investigated filtering/prioritizing 
forms based on how many pages invoke those forms?  I would guess that some 
critical state-changing forms would only be accessible from a single page, 
whereas (e.g.) a search or login function might be accessible from many.

In a CMS scenario for example, there might be lots of pages that link to a 
"create a new page" form, but only one page that points to the form 
"commit the new page content you just filled in."

This might not serve as *proof* that a form should have CSRF protection, 
but it might be one way of sorting the potential false-positives.

- Steve




More information about the websecurity mailing list