This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Testing for CSRF (OTG-SESS-005)"
(Point 3 needs to be clarified) |
|||
| Line 2: | Line 2: | ||
<br> | <br> | ||
Good Call. Jeff has made the changes. [[User:Mmeucci|Matteo Meucci]] 20.00, 18 Janaury 2007 | Good Call. Jeff has made the changes. [[User:Mmeucci|Matteo Meucci]] 20.00, 18 Janaury 2007 | ||
| + | |||
| + | == Point 3 needs to be clarified == | ||
| + | |||
| + | Point 3 states "Point 3) By “known by the browser” we mean information such as cookies or http-based authentication information (such as Basic Authentication; NOT form-based authentication)..." | ||
| + | |||
| + | Form-based authentication in its generic sense, means that we initially perform authentication via a form. If we do this, our session ID can be stored in a non-persistent cookie (e.g., session cookie), which is still vulnerable to CSRF attacks since they are automatically sent along with every request. I think implying that form-based authentication is secure is inaccurate. The only time form-based authN is safe from CSRF is if session cookies are not used and the session ID is rewritten in the URL (though this is another vulnerability in itself). | ||
Revision as of 17:39, 6 February 2007
This chapter really should be called Cross site request forgeries. Session riding is becoming old skool. Vanderaj 20:25, 15 January 2007 (EST)
Good Call. Jeff has made the changes. Matteo Meucci 20.00, 18 Janaury 2007
Point 3 needs to be clarified
Point 3 states "Point 3) By “known by the browser” we mean information such as cookies or http-based authentication information (such as Basic Authentication; NOT form-based authentication)..."
Form-based authentication in its generic sense, means that we initially perform authentication via a form. If we do this, our session ID can be stored in a non-persistent cookie (e.g., session cookie), which is still vulnerable to CSRF attacks since they are automatically sent along with every request. I think implying that form-based authentication is secure is inaccurate. The only time form-based authN is safe from CSRF is if session cookies are not used and the session ID is rewritten in the URL (though this is another vulnerability in itself).
