[WEB SECURITY] How are you tackling CSRF?
Steven M. Christey
coley at rcf-smtp.mitre.org
Sat Apr 23 12:32:08 EDT 2011
Disclaimer: I'm mostly ignorant about automated detection of CSRF.
Just a random thought. Has anybody investigated filtering/prioritizing
forms based on how many pages invoke those forms? I would guess that some
critical state-changing forms would only be accessible from a single page,
whereas (e.g.) a search or login function might be accessible from many.
In a CMS scenario for example, there might be lots of pages that link to a
"create a new page" form, but only one page that points to the form
"commit the new page content you just filled in."
This might not serve as *proof* that a form should have CSRF protection,
but it might be one way of sorting the potential false-positives.
More information about the websecurity