November Meeting- CSRF: All Defenses Are Not Created Equal

We are pleased to announce our November meeting. It will be held on November 7, 2013 in Reston. Food and drinks will be provided as always. Our presenter this month is local to Northern Virginia and has been a regular attendee and contributor for a long time.

Fire talks are always welcome, as well. If you have something you want to share with the group (tools, techniques, current events, etc.) bring it with you and don't worry about slides. 


Abstract: CSRF- Not All Defenses Are Created Equal


CSRF is an often misunderstood vulnerability. In this talk I will introduce CSRF and the basic defenses against it. Then I will go through all of the various major solutions and describe how they
implement the general solution and the positives and negatives of each implementation.

The general solution is to implement the synchronizer token pattern. This is usually done in the framework and not by the individual developer. For example .net applications can use the antiforgerytoken (for MVC applications) or viewstateuserkey. Tomcat web server and F5 load balancers also now include CSRF prevention filters. OWASP of course has the CSRF guard. All of these solutions though are slightly different and can lead to different side effects, some of which are little understood and poorly documented. Some side effects can impact usability, or cause worse security problems while trying to defend against CSRF.

Bio: 


Ari has been in infosec for about 10 years. A former penetration tester, he has since migrated over to the defensive side, and spends most of his time working with developers trying to address application security concerns, and trying to bridge the gap between development and security. He can be found at www.defensium.com.

Join or login to comment.

  • Iris R.

    As always, speaker was engaging and in top form. Ari is presenting this talk in NYC, as an invited speaker at AppSec 2013 in two weeks. We in the audience had the benefit of the preview! Good and useful information. Thanks for another enlightening evening, OWASP - NOVA!

    November 7, 2013

  • Neil

    Still need ice???

    November 7, 2013

  • Jack M.

    Could someone bring 3 bags of ice? We have tons of pizza and beer..no ice :-(

    November 7, 2013

  • Ping N.

    Sorry for the last minute quitting. Have to take care of business at home. This is a much anticipated talk and really hate to miss it. Very interested in the slide deck.

    November 7, 2013

  • Bill M.

    I was 'volunteered' as taxi service for my son and am unable to attend - I hope that notes will be posted, I am really sorry to miss this meeting!

    November 6, 2013

  • Jack M.

    Chapter,

    We are 2 days away from getting together. If you aren't planning on attending, please change your RSVP status from "yes" to "no". We make our monthly food + drink purchases based on registration. Thanks, and looking forward to seeing everyone!

    -Jack

    November 5, 2013

  • Joe

    The map shows several buildings with the address 11600 Sunrise Valley Drive, Reston, va, and it can't be all of them. Please give a more concrete point of reference to be able to find this place.

    October 23, 2013

    • Michael M.

      It's all one complex. One building is the parking garage, the other is the office building.

      October 27, 2013

    • Jack M.

      The building is also called 11600 Sunrise, which conveniently matches the address. http://www.11600sunri...­

      October 27, 2013

  • Gregory H.

    Looking forward to this. Been a while since I've seen an Angels of Security presentation!

    October 16, 2013

  • A former member
    A former member

    That actually should say "synchronizer token pattern" (not singleton) in the description. For some reason my fingers don't always type what I tell them to.

    October 15, 2013

    • Michael M.

      Fixed.

      October 15, 2013

    • A former member
      A former member

      thanks.

      October 16, 2013

  • Mehmet Y.

    Heading over the ocean, but its sounds like a great presentation. If anyone records it let me know!

    October 14, 2013

People in this
Meetup are also in:

Create a Meetup Group and meet new people

Get started Learn more
Allison

Meetup has allowed me to meet people I wouldn't have met naturally - they're totally different than me.

Allison, started Women's Adventure Travel

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy