- security News Forums
- > Protection from cross-site request forge...
- > CSRF Tokens Not Beaten
Posting 
michael coates, michael coates
(1 posting since 24 Jul 2009)
CSRF Tokens Not Beaten 24 July 2009 18:37
This is an interesting attack; however, it does not mean that the
csrf token has been beaten. The strength of this defense relies on
the randomness of the CSRF token itself. Just like it is not
feasible to guess a correctly generated random sessionID, it is not
feasible to brute force a well-constructed CSRF token (ie not a 5
character token).
http://michael-coates.blogspot.com/2009/07/csrf-tokens-are-not-broken
.html
- Threaded View
- Flat View
