Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

How do you find CSRF?

From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Fri, 22 Apr 2011 12:28:19 -0700
Hello fellow SCLers.

Cross-Site Request Forgery (CSRF) has been generating a high volume of
questions for us in the last year, as well as noticing increased
discussions on the webappsec mailng lists. As Jeremiah noted over on
the WASC list - this is a welcome change really -- for most of the
last decade CSRF was ignored, until the Bad Peoples started exploiting
it in the wild.

To bring more clarity to the subject of CSRF - we have published a
detailed artcile describing our testing methodology and
categorizations for CSRF. We are very interested in how other
pen-testers, source code reviewers, and developers are tackling the
CSRF issue! Quite frankly most automated detection is sorely limited,
and mitigation strategies are usually subverted by the detritus of XSS
littering most applications:

WhiteHat Security’s Approach to Detecting Cross-Site Request Forgery (CSRF)

https://blog.whitehatsec.com/whitehat-security%E2%80%99s-approach-to-detecting-cross-site-request-forgery-csrf/

Due to popular demand WhiteHat launched a new blog several weeks ago.
Jeremiah Grossman, myself, and the 30-some software security engineers
who do R&D in Whitehat's Threat Research Center will all be posting
their application security content as this new blog.

https://blog.whitehatsec.com/

Gary McGraw has been harping on me for years to start blogging more
about blackbox testing, practically begging me, so I finally
capitulated! This should be a resource where folks from the SCL can
learn about the scientific marriage of dynamic testing with static
analysis and secure coding initiatives!

Cheerio,

---
Arian Evans
Specialist, Strategically Scaling Software Security

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: