This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Testing for CSRF (OTG-SESS-005)

From OWASP
Revision as of 17:39, 6 February 2007 by Kcheng (talk | contribs) (Point 3 needs to be clarified)

Jump to: navigation, search

This chapter really should be called Cross site request forgeries. Session riding is becoming old skool. Vanderaj 20:25, 15 January 2007 (EST)
Good Call. Jeff has made the changes. Matteo Meucci 20.00, 18 Janaury 2007

Point 3 needs to be clarified

Point 3 states "Point 3) By “known by the browser” we mean information such as cookies or http-based authentication information (such as Basic Authentication; NOT form-based authentication)..."

Form-based authentication in its generic sense, means that we initially perform authentication via a form. If we do this, our session ID can be stored in a non-persistent cookie (e.g., session cookie), which is still vulnerable to CSRF attacks since they are automatically sent along with every request. I think implying that form-based authentication is secure is inaccurate. The only time form-based authN is safe from CSRF is if session cookies are not used and the session ID is rewritten in the URL (though this is another vulnerability in itself).