Security Csrf Testing

security-csrf

// Security - Cross Site Request Forgery - Testing for CSRF:

1. Identify state changing operations in a feature 

2. Intercept operation using a proxy like ZAP

3. Identify the CSRF token in the request (Cookie or a Custom Header)

4. Repeat the request without the token and the operation should fail on proper 
   implementation 

5. Alter the value of the token and the operation should fail on proper 
   implementation

6. Re-using user A’s CSRF token (by editing the request) on a different 
   session (A terminates session and creates a new session Or user B’s session) 
   should result in failure
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License