[WEB SECURITY] CSRF remedies in
Minoo Hamilton
minoo at forkbolt.net
Thu Jan 15 13:23:32 EST 2009
There's also the Java Web Application Security Framework called HDIV
<www.hdiv.org>. Which currently integrates with Struts 1.x, Struts
2.x, Spring MVC or JSTL. It does handle anti-CSRF tokens. This is one
of the things I've been looking at, because, suddenly in Spring Webflow
2.0, the complexity of the token generation changed and no longer has
the same level of side-benefit for foiling CSRF. I suppose it was never
intended to be a security feature in Spring (as somebody else mentioned).
Here's an interesting discussion:
http://wiki.apache.org/struts/HDIV
Minoo
>
>
> *From:* Eric Rachner [mailto:eric at rachner.us]
> *Sent:* Wednesday, January 14, 2009 7:30 PM
> *To:* websecurity at webappsec.org
> *Subject:* [WEB SECURITY] CSRF remedies in
>
>
>
> As most of us know, ASP.NET <http://ASP.NET> provides the
> ViewStateUserKey
> <http://msdn.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx>
> feature to mitigate CSRF attacks. But as a primarily
> Microsoft-oriented guy, I'm not personally aware of any equivalent
> solutions for use in other environments, J2EE in particular, except of
> course for CSRFGuard <http://www.owasp.org/index.php/CSRF_Guard>.
>
> Does anyone happen to know whether any web app development platforms
> other than .NET provide CSRF mitigations like ViewStateUserKey?
>
> Much obliged,
>
> - Eric
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list