Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Announcement: The Cross-site Request Forgery FAQ

From: bugtraq at cgisecurity.net (bugtraq at cgisecurity.net)
Date: Thu, 18 Jan 2007 14:13:20 -0500 (EST)
 URL: The Cross-site Request Forgery FAQ 
 http://www.cgisecurity.com/articles/csrf-faq.shtml 


Regarding, "Who discovered CSRF?", the attack is mentioned in section
4.3.5 of RFC 2109, which dates back February 1997.  Of course, the
suggested remedies look rather strange today.


I hadn't seen that I'll add a brief note about that. 



You characterisation of cross-site scripting attacks ("Cross-Site
Scripting exploits the trust that a user has for the website or
application.") is somewhat misleading, unless one reads "client" for
"user".


Yes that wording is much better. Updated thanks for pointing it out.

- Robert
Previous By Date Next
Previous By Thread Next

Current thread: