This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Summit 2011 Working Sessions/Session029"
From OWASP
Mark Thomas (talk | contribs) (Mark Thomas / Apache Tomcat) |
|||
(13 intermediate revisions by 11 users not shown) | |||
Line 2: | Line 2: | ||
|- | |- | ||
− | | summit_session_attendee_name1 = | + | | summit_session_attendee_name1 = Chris Schmidt |
− | | summit_session_attendee_email1 = | + | | summit_session_attendee_email1 = [email protected] |
− | | summit_session_attendee_company1= | + | | summit_session_attendee_username1 = |
+ | | summit_session_attendee_company1=Aspect Security | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1= | ||
| summit_session_attendee_name2 = Achim Hoffmann | | summit_session_attendee_name2 = Achim Hoffmann | ||
| summit_session_attendee_email2 = [email protected] | | summit_session_attendee_email2 = [email protected] | ||
+ | | summit_session_attendee_username2 = Achim | ||
| summit_session_attendee_company2= sic[!]sec | | summit_session_attendee_company2= sic[!]sec | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=capabilities of WAFs to protect against CSRF | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=capabilities of WAFs to protect against CSRF | ||
Line 14: | Line 16: | ||
| summit_session_attendee_name3 = Ryan Barnett | | summit_session_attendee_name3 = Ryan Barnett | ||
| summit_session_attendee_email3 = [email protected] | | summit_session_attendee_email3 = [email protected] | ||
+ | | summit_session_attendee_username3 = | ||
| summit_session_attendee_company3=Trustwave's SpiderLabs | | summit_session_attendee_company3=Trustwave's SpiderLabs | ||
− | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=discuss how WAFs (ModSecurity) can help mitigate CSRF | + | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=discuss how WAFs (ModSecurity) can help mitigate CSRF. Also want to discuss/test new CSRFGuard v3 JS code |
− | | summit_session_attendee_name4 = | + | | summit_session_attendee_name4 = Mark Thomas |
− | | summit_session_attendee_email4 = | + | | summit_session_attendee_email4 = [email protected] |
− | | summit_session_attendee_company4= | + | | summit_session_attendee_username4 = |
− | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4= | + | | summit_session_attendee_company4= Apache Software Foundation |
+ | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=Looking for ideas to improve Apache Tomcat's built-in CSRF protection | ||
− | | summit_session_attendee_name5 = | + | | summit_session_attendee_name5 = Vishal Garg |
− | | summit_session_attendee_email5 = | + | | summit_session_attendee_email5 = [email protected] |
− | | summit_session_attendee_company5= | + | | summit_session_attendee_username5 = |
− | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5= | + | | summit_session_attendee_company5= AppSecure Labs |
+ | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5= WAFs vs. Frameworks to protect against CSRF | ||
| summit_session_attendee_name6 = | | summit_session_attendee_name6 = | ||
| summit_session_attendee_email6 = | | summit_session_attendee_email6 = | ||
+ | | summit_session_attendee_username6 = | ||
| summit_session_attendee_company6= | | summit_session_attendee_company6= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6= | ||
Line 34: | Line 40: | ||
| summit_session_attendee_name7 = | | summit_session_attendee_name7 = | ||
| summit_session_attendee_email7 = | | summit_session_attendee_email7 = | ||
+ | | summit_session_attendee_username7 = | ||
| summit_session_attendee_company7= | | summit_session_attendee_company7= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7= | ||
Line 39: | Line 46: | ||
| summit_session_attendee_name8 = | | summit_session_attendee_name8 = | ||
| summit_session_attendee_email8 = | | summit_session_attendee_email8 = | ||
+ | | summit_session_attendee_username8 = | ||
| summit_session_attendee_company8= | | summit_session_attendee_company8= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8= | ||
Line 44: | Line 52: | ||
| summit_session_attendee_name9 = | | summit_session_attendee_name9 = | ||
| summit_session_attendee_email9 = | | summit_session_attendee_email9 = | ||
+ | | summit_session_attendee_username9 = | ||
| summit_session_attendee_company9= | | summit_session_attendee_company9= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9= | ||
Line 49: | Line 58: | ||
| summit_session_attendee_name10 = | | summit_session_attendee_name10 = | ||
| summit_session_attendee_email10 = | | summit_session_attendee_email10 = | ||
+ | | summit_session_attendee_username10 = | ||
| summit_session_attendee_company10= | | summit_session_attendee_company10= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10= | ||
Line 54: | Line 64: | ||
| summit_session_attendee_name11 = | | summit_session_attendee_name11 = | ||
| summit_session_attendee_email11 = | | summit_session_attendee_email11 = | ||
+ | | summit_session_attendee_username11 = | ||
| summit_session_attendee_company11= | | summit_session_attendee_company11= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11= | ||
Line 59: | Line 70: | ||
| summit_session_attendee_name12 = | | summit_session_attendee_name12 = | ||
| summit_session_attendee_email12 = | | summit_session_attendee_email12 = | ||
+ | | summit_session_attendee_username12 = | ||
| summit_session_attendee_company12= | | summit_session_attendee_company12= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12= | ||
Line 64: | Line 76: | ||
| summit_session_attendee_name13 = | | summit_session_attendee_name13 = | ||
| summit_session_attendee_email13 = | | summit_session_attendee_email13 = | ||
+ | | summit_session_attendee_username13 = | ||
| summit_session_attendee_company13= | | summit_session_attendee_company13= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13= | ||
Line 69: | Line 82: | ||
| summit_session_attendee_name14 = | | summit_session_attendee_name14 = | ||
| summit_session_attendee_email14 = | | summit_session_attendee_email14 = | ||
+ | | summit_session_attendee_username14 = | ||
| summit_session_attendee_company14= | | summit_session_attendee_company14= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= | ||
Line 74: | Line 88: | ||
| summit_session_attendee_name15 = | | summit_session_attendee_name15 = | ||
| summit_session_attendee_email15 = | | summit_session_attendee_email15 = | ||
+ | | summit_session_attendee_username15 = | ||
| summit_session_attendee_company15= | | summit_session_attendee_company15= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15= | ||
Line 79: | Line 94: | ||
| summit_session_attendee_name16 = | | summit_session_attendee_name16 = | ||
| summit_session_attendee_email16 = | | summit_session_attendee_email16 = | ||
+ | | summit_session_attendee_username16 = | ||
| summit_session_attendee_company16= | | summit_session_attendee_company16= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16= | ||
Line 84: | Line 100: | ||
| summit_session_attendee_name17 = | | summit_session_attendee_name17 = | ||
| summit_session_attendee_email17 = | | summit_session_attendee_email17 = | ||
+ | | summit_session_attendee_username17 = | ||
| summit_session_attendee_company17= | | summit_session_attendee_company17= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17= | ||
Line 89: | Line 106: | ||
| summit_session_attendee_name18 = | | summit_session_attendee_name18 = | ||
| summit_session_attendee_email18 = | | summit_session_attendee_email18 = | ||
+ | | summit_session_attendee_username18 = | ||
| summit_session_attendee_company18= | | summit_session_attendee_company18= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18= | ||
Line 94: | Line 112: | ||
| summit_session_attendee_name19 = | | summit_session_attendee_name19 = | ||
| summit_session_attendee_email19 = | | summit_session_attendee_email19 = | ||
+ | | summit_session_attendee_username19 = | ||
| summit_session_attendee_company19= | | summit_session_attendee_company19= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19= | ||
Line 99: | Line 118: | ||
| summit_session_attendee_name20 = | | summit_session_attendee_name20 = | ||
| summit_session_attendee_email20 = | | summit_session_attendee_email20 = | ||
+ | | summit_session_attendee_username20 = | ||
| summit_session_attendee_company20= | | summit_session_attendee_company20= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20= | ||
Line 107: | Line 127: | ||
| summit_session_name = Protecting Against CSRF | | summit_session_name = Protecting Against CSRF | ||
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session029 | | summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session029 | ||
+ | | mailing_list = | ||
|- | |- | ||
Line 158: | Line 179: | ||
|- | |- | ||
− | |summit_session_deliverable_name1 = | + | |summit_session_deliverable_name1 = A practical guideline for protecting against CSRF in the real world. |
− | |||
− | |summit_session_deliverable_name2 = | + | |summit_session_deliverable_name2 = A concise, clear standard for determining whether an application is vulnerable to CSRF. |
− | |||
|summit_session_deliverable_name3 = | |summit_session_deliverable_name3 = | ||
− | |||
|summit_session_deliverable_name4 = | |summit_session_deliverable_name4 = | ||
− | |||
|summit_session_deliverable_name5 = | |summit_session_deliverable_name5 = | ||
− | | | + | |
+ | |summit_session_deliverable_name6 = | ||
+ | |||
+ | |summit_session_deliverable_name7 = | ||
+ | |||
+ | |summit_session_deliverable_name8 = | ||
|- | |- | ||
− | | summit_session_leader_name1 = | + | | summit_session_leader_name1 = |
| summit_session_leader_email1 = | | summit_session_leader_email1 = | ||
− | | summit_session_leader_name2 = | + | | summit_session_leader_name2 = |
| summit_session_leader_email2 = | | summit_session_leader_email2 = | ||
+ | | summit_session_leader_username2 = | ||
| summit_session_leader_name3 = | | summit_session_leader_name3 = | ||
| summit_session_leader_email3 = | | summit_session_leader_email3 = | ||
+ | | summit_session_leader_username3 = | ||
|- | |- | ||
Line 188: | Line 212: | ||
| operational_leader_name1 = | | operational_leader_name1 = | ||
| operational_leader_email1 = | | operational_leader_email1 = | ||
+ | | operational_leader_username1 = | ||
|- | |- |
Latest revision as of 23:25, 7 February 2011
Global Summit 2011 Home Page
Global Summit 2011 Tracks
Protecting Against CSRF | ||||||
---|---|---|---|---|---|---|
Please see/use the 'discussion' page for more details about this Working Session | ||||||
Working Sessions Operational Rules - Please see here the general frame of rules. |
WORKING SESSION IDENTIFICATION | ||||||
---|---|---|---|---|---|---|
Short Work Session Description | Examining different ways to build CSRF protection into web applications and web frameworks. | |||||
Related Projects (if any) |
| |||||
Email Contacts & Roles | Chair |
Operational Manager |
Mailing list Subscription Page |
WORKING SESSION SPECIFICS | ||||||
---|---|---|---|---|---|---|
Objectives | ||||||
Venue/Date&Time/Model | Venue/Room OWASP Global Summit Portugal 2011 |
Date & Time
|
Discussion Model participants and attendees |
|
---|
WORKING SESSION OPERATIONAL RESOURCES | ||||||
---|---|---|---|---|---|---|
Projector, whiteboards, markers, Internet connectivity, power |
|
---|
WORKING SESSION ADDITIONAL DETAILS | ||||||
---|---|---|---|---|---|---|
WORKING SESSION OUTCOMES / DELIVERABLES | ||
---|---|---|
Proposed by Working Group | Approved by OWASP Board | |
A practical guideline for protecting against CSRF in the real world. |
After the Board Meeting - fill in here. | |
A concise, clear standard for determining whether an application is vulnerable to CSRF. |
After the Board Meeting - fill in here. | |
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. |
Working Session Participants
(Add you name by clicking "edit" on the tab on the upper left side of this page)
WORKING SESSION PARTICIPANTS | ||||||
---|---|---|---|---|---|---|
Name | Company | Notes & reason for participating, issues to be discussed/addressed | ||||
Chris Schmidt @ |
Aspect Security |
| ||||
Achim Hoffmann @ |
sic[!]sec |
capabilities of WAFs to protect against CSRF | ||||
Ryan Barnett @ |
Trustwave's SpiderLabs |
discuss how WAFs (ModSecurity) can help mitigate CSRF. Also want to discuss/test new CSRFGuard v3 JS code | ||||
Mark Thomas @ |
Apache Software Foundation |
Looking for ideas to improve Apache Tomcat's built-in CSRF protection | ||||
Vishal Garg @ |
AppSecure Labs |
WAFs vs. Frameworks to protect against CSRF | ||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
|