Confirmed users
491
edits
WebAppSec/Secure Coding QA Checklist: Difference between revisions
WebAppSec/Secure Coding QA Checklist (view source)
Revision as of 20:49, 18 July 2010
, 18 July 2010→Further information
| Line 128: | Line 128: | ||
===Further information=== | ===Further information=== | ||
There are two tests for CSRF tokens/crumbs. Is a CSRF token/crumb used at all for the POST? If so, does the server validate that the token/crumb is correct? | |||
These tests would need to be performed on each form within the application. | |||
The first issue can be verified by viewing the page source and looking at the form element or by intercepting the POST request an inspecting the submitted values. In either case you should see a hidden field called "CSRFToken" or "crumb" (or something similar) and the value will be a large random series of characters and numbers. If you do not see this random value, then we have a finding. | |||
The second issue can be verified by modifying the token/crumb to any other value. Try replacing the value with "123". The application should either return an error message or just not perform the action that you requested with that form. If the application does perform the requested action with the "123" token value then we have a finding. | |||
==Test: Account Lockout== | ==Test: Account Lockout== | ||