Secure Coding mailing list archives
CSRF and Header Forging - your thoughts needed
From: michael.coates at owasp.org (Michael Coates)
Date: Fri, 14 May 2010 09:01:45 -0700
All, I'm looking for thoughts on CSRF attacks that result in forged headers from the victim user to the target site. Are there modern attacks that work here? If not, could we implement a CSRF protection that uses a custom header and avoid the cost of computing random numbers? This sounds very strange at first since we are accustomed to the standard random CSRF token approach. However, please take a look and contribute to the comment thread: http://michael-coates.blogspot.com/2010/05/csrf-attacks-and-forged-headers.html (Several comments on the article already, I encourage you to post your comments there for everyone to read) Thanks! -- Michael Coates http://michael-coates.blogspot.com OWASP Member& Contributor
Current thread:
- CSRF and Header Forging - your thoughts needed Michael Coates (May 14)
- CSRF and Header Forging - your thoughts needed Michal Zalewski (May 14)