Finding And Preventing Cross-Site Request Forgery presented at Blackhat USA 2005

by Tom Gallagher,

Tags: Security Web

Summary : There is an often overlooked security
design flaw in many web applications today. Web applications often
take user input through HTML forms. When privileged operations are
performed, the server verifies the request is from an authorized user.
Cross-Site Request Forgery Attacks allow an attacker to coerce an
authorized user to request privileged operations of the attacker’s
choice. Learn about this attack, how you can quickly identify these
bugs in web applications, common techniques programmers use prevent
these attacks, common bugs in some of these preventions, how the attack
applies to SOAP, and how to automate tests to verify the attack is
successfully prevented.