[WEB SECURITY] How are you tackling CSRF?

James Manico jim at manico.net
Sat Apr 23 17:23:11 EDT 2011


Hey Steve,

In a intranet environment where all browser/network settings are
controlled, HTTP Referrer header verification (what you are suggesting
below) can be effective as a •partial• CSRF defense to be used in
addition to cryptographic nonces.

But when your website has Internet-facing customers/consumers, you can
no longer rely on referrer headers. Some organizations strip them in
an outbound way to prevent data leakage.

Jim Manico

On Apr 23, 2011, at 9:33 AM, "Steven M. Christey"
<coley at rcf-smtp.mitre.org> wrote:

>
> Disclaimer: I'm mostly ignorant about automated detection of CSRF.
>
> Just a random thought.  Has anybody investigated filtering/prioritizing forms based on how many pages invoke those forms?  I would guess that some critical state-changing forms would only be accessible from a single page, whereas (e.g.) a search or login function might be accessible from many.
>
> In a CMS scenario for example, there might be lots of pages that link to a "create a new page" form, but only one page that points to the form "commit the new page content you just filled in."
>
> This might not serve as *proof* that a form should have CSRF protection, but it might be one way of sorting the potential false-positives.
>
> - Steve
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list