Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Failed to load latest commit information.|
|Data Validation in Web Applications.pdf|
|Principles of Secure Web Application Development.pdf|
Demo stuff for the 2011 UCDavis IT Security Symposium. http://itsecuritysymposium.ucdavis.edu/ -- CSRF: * Demo the banking application * Now to the evil side * First we can do a get request that changes money. This is bad, only idempotent operations should be GET. * Change to post, now it will not work. * Now evil bank does post example, which works. This is of course because there is no authorization being preformed. * Showing the above is optional really, not a CSRF attack * Now, lock down to authorize * For CSRF #1, get user to visit http://localhost:5416/Csrf/GetForgeryPage. This is the GET attack example. * For CSRF #2, get user to visit http://localhost:5416/Csrf/PostForgeryPage. This is the POST attack. * Solve the post attack by adding an antiforgerytoken.