Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Join us at AppSec California 2014!


AppSec California is the first of hopefully many annual conferences hosted by all of the California chapters. Join us on the beaches of Santa Monica which is closest to our Los Angeles Chapter. Space is limited to around 200 attendees so be sure to get your ticket before we sell out!

Come a little early or stay the rest of the week; however you enjoy it, the weather is likely going to be warmer than where you are. Enjoy the Santa Monica pier and downtown area or explore the surrounding cities. You probably have a client or 10 near by too so say hello to them too.

Stay tuned as activities around the event are updated and more speakers are added to the lineup. A schedule will come at some point.


Register today! 
View analytic
Tuesday, January 28 • 9:30am - 10:30am
CSRF: not all defenses are created equal

Sign up or log in to save this to your schedule and see who's attending!

CSRF is an often misunderstood vulnerability. In this talk I will introduce CSRF and the basic defenses against it. Then I will go through all of the various major solutions and describe how theyimplement the general solution and the positives and negatives of each implementation.
The general solution is to implement the synchronizer token pattern. This is usually done in the framework and not by the individual developer. For example .net applications can use the antiforgerytoken (for MVC applications) or viewstateuserkey. Tomcat web server and F5 load balancers also now include CSRF prevention filters. OWASP of course has the CSRF guard. All of these solutions though are slightly different and can lead to different side effects, some of which are little understood and poorly documented. Some side effects can impact usability, or cause worse security problems while trying to defend against CSRF.

Speakers
avatar for Ari Elias-Bachrach

Ari Elias-Bachrach

Defensium
Ari has been in infosec for about 10 years. A former penetration tester, he has since migrated over to the defensive side, and spends most of his time working with developers trying to address application security concerns, and trying to bridge the gap between development and security. He can be found at www.defensium.com


Tuesday January 28, 2014 9:30am - 10:30am
Track 2

Attendees (5)