[WEB SECURITY] CSRF remedies in

Walter Tsai walter at armorize.com
Thu Jan 15 02:38:55 EST 2009


Hi folks,

For J2EE:

1. OWASP CSRFGuard: http://www.owasp.org/index.php/How_CSRFGuard_Works
2. Spring provides new support for web state and flow transition authorization through the Spring Web Flow 2.0:
  http://static.springsource.org/spring-security/site/index.html
  (past discussion can be found in here: http://www.webappsec.org/lists/websecurity/archive/2007-04/msg00004.html)
..

Walter
-----Original Message-----
From: arian.evans at gmail.com [mailto:arian.evans at gmail.com] On Behalf Of Arian J. Evans
Sent: Thursday, January 15, 2009 8:56 AM
To: Eric Rachner; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] CSRF remedies in

More and more frameworks are adding CSRF protection. Many have them
today in PHP and Perl land, and probably Python land as well.

Most implement them in the form of a magic token appended to a form.
See Drupal as a common PHP example.

-ae

On Wed, Jan 14, 2009 at 4:43 PM, Steve Pinkham <steve.pinkham at gmail.com> wrote:
> Eric Rachner wrote:
>>
>> As most of us know, ASP.NET <http://ASP.NET> provides the ViewStateUserKey
>> <http://msdn.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx>
>> feature to mitigate CSRF attacks.  But as a primarily Microsoft-oriented
>> guy, I'm not personally aware of any equivalent solutions for use in other
>> environments, J2EE in particular, except of course for CSRFGuard
>> <http://www.owasp.org/index.php/CSRF_Guard>.
>>
>> Does anyone happen to know whether any web app development platforms other
>> than .NET provide CSRF mitigations like ViewStateUserKey?
>>
>> Much obliged,
>>
>> - Eric
>>
> Rails 2.0 and later provides the protect_from_forgery option, which is on by
> default and helps defend against CSRF in a similar manner.
> In Javaland, Wicket added defense in version 1.3.5.
> There's probably more, but those are the ones I care about at the moment...
>
> Steve
> --
>  | Steven E. Pinkham                      |
>  | GPG public key ID CD31CAFB             |
>


-- 
-- 
Arian Evans

Anti-Gun/UN people: you should weep for
Mumbai. Your actions leave defenseless dead.

"Among the many misdeeds of the British
rule in India, history will look upon the Act
depriving a whole nation of arms, as the
blackest." -- Mahatma Gandhi

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list