Security Csrf Testing
// Security - Cross Site Request Forgery - Testing for CSRF:
1. Identify state changing operations in a feature
2. Intercept operation using a proxy like ZAP
3. Identify the CSRF token in the request (Cookie or a Custom Header)
4. Repeat the request without the token and the operation should fail on proper
implementation
5. Alter the value of the token and the operation should fail on proper
implementation
6. Re-using user A’s CSRF token (by editing the request) on a different
session (A terminates session and creates a new session Or user B’s session)
should result in failure
page revision: 0, last edited: 01 Jan 2017 22:10