[WEB SECURITY] CSRF remedies in

Arian J. Evans arian.evans at anachronic.com
Wed Jan 14 19:55:51 EST 2009

More and more frameworks are adding CSRF protection. Many have them
today in PHP and Perl land, and probably Python land as well.

Most implement them in the form of a magic token appended to a form.
See Drupal as a common PHP example.


On Wed, Jan 14, 2009 at 4:43 PM, Steve Pinkham <steve.pinkham at gmail.com> wrote:
> Eric Rachner wrote:
>> As most of us know, ASP.NET <http://ASP.NET> provides the ViewStateUserKey
>> <http://msdn.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx>
>> feature to mitigate CSRF attacks.  But as a primarily Microsoft-oriented
>> guy, I'm not personally aware of any equivalent solutions for use in other
>> environments, J2EE in particular, except of course for CSRFGuard
>> <http://www.owasp.org/index.php/CSRF_Guard>.
>> Does anyone happen to know whether any web app development platforms other
>> than .NET provide CSRF mitigations like ViewStateUserKey?
>> Much obliged,
>> - Eric
> Rails 2.0 and later provides the protect_from_forgery option, which is on by
> default and helps defend against CSRF in a similar manner.
> In Javaland, Wicket added defense in version 1.3.5.
> There's probably more, but those are the ones I care about at the moment...
> Steve
> --
>  | Steven E. Pinkham                      |
>  | GPG public key ID CD31CAFB             |

Arian Evans

Anti-Gun/UN people: you should weep for
Mumbai. Your actions leave defenseless dead.

"Among the many misdeeds of the British
rule in India, history will look upon the Act
depriving a whole nation of arms, as the
blackest." -- Mahatma Gandhi

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list