Many folks are failing to understand CSRF properly, and how to protect against it. Let’s do this from the beginning and look at what works, and why. Click for full size version. Cross-site request forgeries are simple at heart; force the victim to use the victim’s session and credentials to perform authorized work. This almost […]

OWASP Top 10 2007 nearly done

This edition’s headings: A1. Cross-site scripting A2. Injections A3. Insecure Remote File Include A4. Insecure direct object reference A5. Cross-site request forgeries A6. Information leakage and improper error handling A7. Malformed input A8. Broken authorization A9. Insecure cryptography and communication A10. Privilege escalation Note what’s missing? Note what’s new? 😉 If you want to review […]