[WEB SECURITY] CSRF remedies in
Steve Pinkham
steve.pinkham at gmail.com
Wed Jan 14 19:43:09 EST 2009
Eric Rachner wrote:
> As most of us know, ASP.NET <http://ASP.NET> provides the
> ViewStateUserKey
> <http://msdn.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx>
> feature to mitigate CSRF attacks. But as a primarily Microsoft-oriented
> guy, I'm not personally aware of any equivalent solutions for use in
> other environments, J2EE in particular, except of course for CSRFGuard
> <http://www.owasp.org/index.php/CSRF_Guard>.
>
> Does anyone happen to know whether any web app development platforms
> other than .NET provide CSRF mitigations like ViewStateUserKey?
>
> Much obliged,
>
> - Eric
>
Rails 2.0 and later provides the protect_from_forgery option, which is
on by default and helps defend against CSRF in a similar manner.
In Javaland, Wicket added defense in version 1.3.5.
There's probably more, but those are the ones I care about at the moment...
Steve
--
| Steven E. Pinkham |
| GPG public key ID CD31CAFB |
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list