Security Basics mailing list archives

Re: Cross-Site Request Forgeries

From: Emilio Casbas <ecasbas () s21sec com>
Date: Mon, 28 Jul 2008 09:08:42 +0200

Ricardo Tiago escribió:

Hi,

What methods exist to protect against Cross-Site Request Forgeries?
And what is the most efficient one?


- Inspecting Referer headers (it could be forged)

- Validation via user-provided secret (ask for password for importanttransactions)

- Validation vía "action token" (in order to distinguish the genuine
  url from the forged.). The most efficient.

Take a look:
http://www.cgisecurity.com/articles/csrf-faq.shtml

Regards
Emilio.

Current thread:

Cross-Site Request Forgeries Ricardo Tiago (Jul 27)
- Re: Cross-Site Request Forgeries Emilio Casbas (Jul 28)
- RE: Cross-Site Request Forgeries Sergio Castro (Jul 28)
- Re: Cross-Site Request Forgeries Dave Hull (Jul 28)
  - Re: Cross-Site Request Forgeries Gregory Rubin (Jul 28)