This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet"
(Created page with 'Checking Referer Header is used to patch the most dangerous CSRF vulnerability ever discovered (which was by me http://www.kb.cert.org/vuls/id/643049 Michael Brooks). This arti…') |
|||
| Line 1: | Line 1: | ||
Checking Referer Header is used to patch the most dangerous CSRF vulnerability ever discovered (which was by me http://www.kb.cert.org/vuls/id/643049 Michael Brooks). This article is incorrect and I am chaining it. If you have a problem then you should contact me, but as it stands I cannot allow this page to spread false information. | Checking Referer Header is used to patch the most dangerous CSRF vulnerability ever discovered (which was by me http://www.kb.cert.org/vuls/id/643049 Michael Brooks). This article is incorrect and I am chaining it. If you have a problem then you should contact me, but as it stands I cannot allow this page to spread false information. | ||
| + | |||
| + | ---- | ||
| + | |||
| + | That is not the most dangerous CSRF vuln ever discovered! You are either really full of yourself, or you know very little about CSRF. I have found CSRF bugs that could have trivially been exploited for millions of dollars of theft, and those aren't the worst ones out there. I'm going to update the Referer Header section to be more accurate and include GET-based CSRF attacks (such as open redirection, probably from the login page) that referer checking usually doesn't cover either (which is one of it's biggest flaws). | ||
Revision as of 02:45, 27 June 2012
Checking Referer Header is used to patch the most dangerous CSRF vulnerability ever discovered (which was by me http://www.kb.cert.org/vuls/id/643049 Michael Brooks). This article is incorrect and I am chaining it. If you have a problem then you should contact me, but as it stands I cannot allow this page to spread false information.
That is not the most dangerous CSRF vuln ever discovered! You are either really full of yourself, or you know very little about CSRF. I have found CSRF bugs that could have trivially been exploited for millions of dollars of theft, and those aren't the worst ones out there. I'm going to update the Referer Header section to be more accurate and include GET-based CSRF attacks (such as open redirection, probably from the login page) that referer checking usually doesn't cover either (which is one of it's biggest flaws).
