[WEB SECURITY] Can WAF's block CSRF?

[Cyrill Osterwalder]

Hi all

>That is, can Web Application Firewalls block Cross-Site Request
>Forgery (aka XSRF) attacks?

I'd like to agree with the input of Ryan Barnett pointing to the URL
encryption and cryptographic parameter protection of the WAFEC which I
think is a very powerful mechanism to protect against CSRF/Riding to a
certain extent.

The Visonys Airlock WAF implements both URL encryption and cryptographic
HTML form protection exactly for that reason. Without detailed
customized filter config it can be used by applications easily. It
protects pretty successfully against CSRF/Riding by creating dynamically
protected URLs and HTML forms for a user session. It is therefore
virtually impossible to create external URLs pointing into a protected
application session context.

Doing URL encryption and form protection in a good way means to
sophistically analyze and rewrite and protect outgoing content (HTML,
JS, CSS, etc.) and protect local targeted URLs and parameters with
strong cryptographic algorithms. Especially GET forms are something to
deal with ;-). Of course, there exist circumstances where it is not
possible (e.g. fuzzy URL creation in JS on client side). But that is
like protecting cookies if the application creates them dynamically on
the client side. 

I'd be interested in discussing this approach with your critical
feedback.

Regards
Cyrill


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]