CSRF Defense Strategies - Not All Are Created Equal

Explore the intricacies of Cross-Site Request Forgery (CSRF) vulnerabilities and defense mechanisms in this 45-minute OWASP Foundation talk. Gain a comprehensive understanding of CSRF, starting with its basic concepts and progressing to advanced defense strategies. Analyze the synchronizer token pattern and its various implementations across different frameworks and platforms, including .NET, Tomcat, and F5 load balancers. Examine the pros and cons of each solution, uncovering potential side effects that may impact usability or introduce new security risks. Delve into alternative approaches such as double submit cookies and challenge-response systems. Learn about OWASP CSRFGuard, Tomcat's CSRF prevention filter, and F5's Application Security Manager (ASM) capabilities. Discover how to identify CSRF token implementations based on their naming conventions and understand the implications of using specific libraries for protection.

Syllabus

Intro
If you can predict all the parameters for an action, you can fake it
High Level Defenses (Design Patterns)
Primary Defense is the Synchronizer Token Pattern
Second Defensive Option is Double Submit Cookies This option used less often, but useful for things like REST
A Third Option is Any Form of Challenge Response System Rarely Used Exclusively for CSRF Defense
CSRFGuard Implements the Synchronizer Token Pattern and Makes a New Token For Each Session
Tomcat 7 Includes a CSRF Prevention Filter
F5's ASM Can Insert a Token in All Links and Forms to Implement the Synchronizer Token Pattern
Imperva Secure Sphere Can Detect CSRF Attacks by Checking the Referrer Header
CSRF Token Names Can Reveal What Library You Are Using