[WEB SECURITY] prevent CSRF with origin header

James Manico jim at manico.net
Sun Mar 31 12:59:20 EDT 2013


Hello,

I manage the cheat sheet series for OWASP.

I'm looking for a volunteer to fully rewrite the CSRF Cheatsheet. It
needs a major refresh. If anyone is interested, please drop me a line.

Regards,
--
Jim Manico
@Manicode
(808) 652-3805

On Apr 1, 2013, at 12:53 AM, Taras <oxdef at oxdef.info> wrote:

> Hi,
>
> BTW, what's about browser's support of Origin header? FF/Chrome/Opera/IE?
>
> On Sunday 24 March 2013 18:39 Tiago Mendo wrote:
>> Hi,
>>
>> The OWASP CSRF prevention cheat sheet
>> (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Pre
>> vention_Cheat_Sheet) mentions the origin header as a method to prevent
>> CSRF.
>>
>> But isn't this method vulnerable to the same problem that affected Rails
>> some time ago, which was based on a malicious flash with a 307 redirect
>> that in some circumstances would allow cross-domain custom header?
>>
>>
>> thanks
>>
>> Tiago Mendo
>
>
> --
> Taras
> http://oxdef.info
> GPG: C8D1F510
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list