CSRF: not all defenses are created equal presented at OWASPAppSecCalifornia 2014

by Ari Elias-bachrach,

Summary : CSRF is an often misunderstood vulnerability. In this talk I will introduce CSRF and the basic defenses against it. Then I will go through all of the various major solutions and describe how theyimplement the general solution and the positives and negatives of each implementation.
The general solution is to implement the synchronizer token pattern. This is usually done in the framework and not by the individual developer. For example .net applications can use the antiforgerytoken (for MVC applications) or viewstateuserkey. Tomcat web server and F5 load balancers also now include CSRF prevention filters. OWASP of course has the CSRF guard. All of these solutions though are slightly different and can lead to different side effects, some of which are little understood and poorly documented. Some side effects can impact usability, or cause worse security problems while trying to defend against CSRF.

Ari Elias-bachrach: Ari is a CISSP and CEH. He has a BS in computer science from Washington University in St. Louis, and a MS in computer science with a focus on information security from The George Washington University. Previously he worked for the federal government, followed by a stint in the private sector as a consultant performing external penetration testing and web application reviews. Now he works as an in-house information security engineer focusing on web applications.