tag:blogger.com,1999:blog-8503755746105415394.post5449812351798130477..comments2008-01-24T11:50:08.157ZComments on PortSwigger.net - web application security: When good XSRF defence turns badPortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-8503755746105415394.post-71497272865165867062008-01-24T11:50:00.000Z2008-01-24T11:50:00.000ZFurthermore, this vector could be prevented if the...Furthermore, this vector could be prevented if the request or login authentication page carries a the one time password random parameter that is not guessable from the outside. The user will be required to type in his token each time a task is requested. The trick is to create a unique session specific token for risky requests.StrongArmhttp://www.blogger.com/profile/16497045523518549945noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-8602447239935291482008-01-06T23:44:00.000Z2008-01-06T23:44:00.000ZFantastic article. Do you think nonce/token based ...Fantastic article. Do you think nonce/token based CSRF protection is a complete CSRF mitigation strategy? What about banking trojans and/or the long history of browser flaws that get around Single Origin Policy?Jim Manicohttp://www.blogger.com/profile/12382834501997208557noreply@blogger.com