CSRF - Penetration Test - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6) +--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19) +--- Thread: CSRF - Penetration Test (/showthread.php?tid=72290) |
CSRF - Penetration Test - dave friend - 11-30-2018 Interesting post on stack overflow. The OP is asking how to overcome the CSRF system flaw that testing has (supposedly) revealed. I'm wondering if the assessment is valid. Thoughts? RE: CSRF - Penetration Test - Paradinight - 11-30-2018 (11-30-2018, 10:49 PM)dave friend Wrote: Interesting post on stack overflow. The OP is asking how to overcome the CSRF system flaw that testing has (supposedly) revealed. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie RE: CSRF - Penetration Test - dave friend - 12-02-2018 (11-30-2018, 11:17 PM)Paradinight Wrote:(11-30-2018, 10:49 PM)dave friend Wrote: Interesting post on stack overflow. The OP is asking how to overcome the CSRF system flaw that testing has (supposedly) revealed. Yes, I read all the OWASP stuff again before posting and I recognize the CI scheme as being "double submit cookie". What I'm uncertain of is if the SO post has exposed a site that is not fully secured or is the CI scheme what the Blackhat article calls a Naïve Double Submit? Or maybe it's a case of the security team that the SO post is dealing with doesn't understand all they know? |