Cross-Site Request Forgery (CSRF) generates many questions from prospects, customers, partners, and Web application security professionals we work with. The questions tend to fall into similar categories, so we figured it would be helpful to summarize them and share our perspective on CSRF. We would definitely appreciate feedback and/or debate from the community to help battle-test our approach.
The 5 Most Often Asked Questions about CSRF:
. What is CSRF?
. How do we decide which CSRF to report?
. How do software security tools find CSRF today?
. How do we test for CSRF?
. Why do we consider CSRF unresolved if there are XSS or HTTP Response Splitting vulnerabilities present in the website?