This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Testing for CSRF (OTG-SESS-005)

From OWASP
Revision as of 17:39, 6 February 2007 by Kcheng (talk | contribs) (Point 3 needs to be clarified)

Jump to: navigation, search

This chapter really should be called Cross site request forgeries. Session riding is becoming old skool. Vanderaj 20:25, 15 January 2007 (EST)
Good Call. Jeff has made the changes. Matteo Meucci 20.00, 18 Janaury 2007

Point 3 needs to be clarified

Point 3 states "Point 3) By “known by the browser” we mean information such as cookies or http-based authentication information (such as Basic Authentication; NOT form-based authentication)..."

Form-based authentication in its generic sense, means that we initially perform authentication via a form. If we do this, our session ID can be stored in a non-persistent cookie (e.g., session cookie), which is still vulnerable to CSRF attacks since they are automatically sent along with every request. I think implying that form-based authentication is secure is inaccurate. The only time form-based authN is safe from CSRF is if session cookies are not used and the session ID is rewritten in the URL (though this is another vulnerability in itself).

Retrieved from "https://wiki.owasp.org/index.php?title=Talk:Testing_for_CSRF_(OTG-SESS-005)&oldid=16234"