Comments on: CSRF is Wicked

By: Daniel Miessler

Daniel Miessler — Sun, 17 Feb 2008 22:27:54 +0000

@Carl

Yes, if your cookies weren't there then you wouldn't have that problem. But then you'd lose a whole lot of functionality. Another good suggestion is to use one browser profile for sensitive things and another for non-sensitive.

Of course, the best solution is to have web applications that are coded securely.

By: Ken

Ken — Fri, 15 Feb 2008 02:43:09 +0000

Lets take your auction example. What if the site employed a captcha image or required some additional information to complete the request?

By: Carl M

Carl M — Thu, 14 Feb 2008 17:41:55 +0000

Pardon my ignorance of the subtleties, but am I understanding correctly that this is a cookie-based vulnerability? That is, if one removes all cookies when exiting a browser session (or even more frequently), is one at least somewhat protected from this sort of attack?