+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19)
+--- Thread: CSRF - Penetration Test (/showthread.php?tid=72290)
CSRF - Penetration Test - dave friend - 11-30-2018
Interesting post on stack overflow. The OP is asking how to overcome the CSRF system flaw that testing has (supposedly) revealed.
I'm wondering if the assessment is valid. Thoughts?
RE: CSRF - Penetration Test - Paradinight - 11-30-2018
(11-30-2018, 10:49 PM)dave friend Wrote: Interesting post on stack overflow. The OP is asking how to overcome the CSRF system flaw that testing has (supposedly) revealed.
I'm wondering if the assessment is valid. Thoughts?
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie
RE: CSRF - Penetration Test - dave friend - 12-02-2018
(11-30-2018, 11:17 PM)Paradinight Wrote:(11-30-2018, 10:49 PM)dave friend Wrote: Interesting post on stack overflow. The OP is asking how to overcome the CSRF system flaw that testing has (supposedly) revealed.
I'm wondering if the assessment is valid. Thoughts?
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie
Yes, I read all the OWASP stuff again before posting and I recognize the CI scheme as being "double submit cookie".
What I'm uncertain of is if the SO post has exposed a site that is not fully secured or is the CI scheme what the Blackhat article calls a Naïve Double Submit?
Or maybe it's a case of the security team that the SO post is dealing with doesn't understand all they know?