Mitigating Cross-Site Request Forgery with NoScript

Three months ago Core Security posted an advisory regarding a CSRF vulnerability I’ve found in IBM WebSphere Application Server. While preparing the advisory, I’ve investigated some ways to mitigate this class of vulnerability when, for some reason, there’s no patch available for the affected web application. It turned that Cross-Site Request Forgery can be mitigated both on the server side and on the client side.

Continue reading