Ari Elias-Bachrach

Company : Defensium

Personal/Company Website:

CSRF: not all defenses are created equal

CSRF is an often misunderstood vulnerability. In this talk I will introduce CSRF and the basic defenses against it. Then I will go through all of the various major solutions and describe how they 
implement the general solution and the positives and negatives of each implementation.

The general solution is to implement the synchronizer token pattern. This is usually done in the framework and not by the individual developer. For example .net applications can use the antiforgerytoken (for MVC applications) or viewstateuserkey. Tomcat web server and F5 load balancers also now include CSRF prevention filters. OWASP of course has the CSRF guard. All of these solutions though are slightly different and can lead to different side effects, some of which are little understood and poorly documented. Some side effects can impact usability, or cause worse security problems while trying to defend against CSRF.


Ari has been in infosec for about 10 years. A former penetration tester, he has since migrated over to the defensive side, and spends most of his time working with developers trying to address application security concerns, and trying to bridge the gap between development and security. He can be found at