[WEB SECURITY] CSRF remedies in

Minoo Hamilton minoo at forkbolt.net
Thu Jan 15 13:23:32 EST 2009


There's also the Java Web Application Security Framework called HDIV 
<www.hdiv.org>.  Which currently  integrates with Struts 1.x, Struts 
2.x, Spring MVC or JSTL.  It does handle anti-CSRF tokens.   This is one 
of the things I've been looking at, because, suddenly in Spring  Webflow 
2.0, the complexity of the token generation changed and no longer has 
the same level of side-benefit for foiling CSRF.  I suppose it was never 
intended to be a security feature in Spring (as somebody else mentioned). 

Here's an interesting discussion:
http://wiki.apache.org/struts/HDIV


Minoo

>  
>
> *From:* Eric Rachner [mailto:eric at rachner.us]
> *Sent:* Wednesday, January 14, 2009 7:30 PM
> *To:* websecurity at webappsec.org
> *Subject:* [WEB SECURITY] CSRF remedies in
>
>  
>
> As most of us know, ASP.NET <http://ASP.NET> provides the 
> ViewStateUserKey 
> <http://msdn.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx> 
> feature to mitigate CSRF attacks.  But as a primarily 
> Microsoft-oriented guy, I'm not personally aware of any equivalent 
> solutions for use in other environments, J2EE in particular, except of 
> course for CSRFGuard <http://www.owasp.org/index.php/CSRF_Guard>.
>
> Does anyone happen to know whether any web app development platforms 
> other than .NET provide CSRF mitigations like ViewStateUserKey?
>
> Much obliged,
>
> - Eric
>


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list