On Sat, 3 Mar 2012 12:17:58 +0000 Pedro Melo <m...@simplicidade.org> wrote:
> CRSF attacks are dangerous but the solution is making sure the > attacker lacks a piece of information that the real user has. When > generating a form for the real client to submit, add a hidden > parameter with a cryptographic secure one-use-only token, and stash > the same token in the user session, server-side. All form submissions > must include that parameter, and it must match the token in the > session. This is the best advice on the thread, and in fact the only real solution to CSRF proposed so far. The security tokens need not to be in every form, but they are critical in the forms whose submission takes some sort of action (deletes user account, submits an order, sells stocks, sends an e-mail, etc) However, judging from the security-scanning tool's description, it might still complain about the same thing even if you fix it this way. The GET/POST thing indeed has nothing to do with CSRF: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Prevention_Measures_That_Do_NOT_Work ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users