Finding and Preventing Cross-Site Request Forgery presented at BlackhatUSA 2006

by Tom Gallagher,

Summary : There is an often overlooked security design flaw in many web applications today. Web applications often take user input through HTML forms. When privileged operations are performed, the server verifies the request is from an authorized user. Cross-Site Request Forgery Attacks allow an attacker to coerce an authorized user to request privileged operations of the attackers choice. Learn about this attack, how you can quickly identify these bugs in web applications, common techniques programmers use prevent these attacks, common bugs in some of these preventions, how the attack applies to SOAP, and how to automate tests to verify the attack is successfully prevented.