Scanning sites with anti-CSRF tokens
No due date
16% complete
Scanning sites with anti-CSRF tokens enabled is a really hard task to achieve, since the CSRF token implementation can be really strict and make the whole scan useless.
I want to perform these tasks:
- Identify the top 3 methods for CSRF (hidden form param, cookie? special header?)
- Identify the top 3 implementations (maybe: Django, Ruby, Zend-PHP) and crea…
Scanning sites with anti-CSRF tokens enabled is a really hard task to achieve, since the CSRF token implementation can be really strict and make the whole scan useless.
I want to perform these tasks:
- Identify the top 3 methods for CSRF (hidden form param, cookie? special header?)
- Identify the top 3 implementations (maybe: Django, Ruby, Zend-PHP) and create test applications
- Write tests that scan these three test applications
- Modify the framework to PASS these tests