Secure Coding mailing list archives
How do you find CSRF?
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Fri, 22 Apr 2011 12:28:19 -0700
Hello fellow SCLers. Cross-Site Request Forgery (CSRF) has been generating a high volume of questions for us in the last year, as well as noticing increased discussions on the webappsec mailng lists. As Jeremiah noted over on the WASC list - this is a welcome change really -- for most of the last decade CSRF was ignored, until the Bad Peoples started exploiting it in the wild. To bring more clarity to the subject of CSRF - we have published a detailed artcile describing our testing methodology and categorizations for CSRF. We are very interested in how other pen-testers, source code reviewers, and developers are tackling the CSRF issue! Quite frankly most automated detection is sorely limited, and mitigation strategies are usually subverted by the detritus of XSS littering most applications: WhiteHat Security’s Approach to Detecting Cross-Site Request Forgery (CSRF) https://blog.whitehatsec.com/whitehat-security%E2%80%99s-approach-to-detecting-cross-site-request-forgery-csrf/ Due to popular demand WhiteHat launched a new blog several weeks ago. Jeremiah Grossman, myself, and the 30-some software security engineers who do R&D in Whitehat's Threat Research Center will all be posting their application security content as this new blog. https://blog.whitehatsec.com/ Gary McGraw has been harping on me for years to start blogging more about blackbox testing, practically begging me, so I finally capitulated! This should be a resource where folks from the SCL can learn about the scientific marriage of dynamic testing with static analysis and secure coding initiatives! Cheerio, --- Arian Evans Specialist, Strategically Scaling Software Security _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- How do you find CSRF? Arian J. Evans (Apr 22)