[WEB SECURITY] CSRF remedies in

54van7 54van7 at securityisdead.com
Fri Jan 16 08:15:09 EST 2009


Essentially, preventing arbitrary URLs to be supplied as the redirect
parameter value.
This is achieved by creating a whitelist validation routine
(i.e. regex, etc.) that only allows known "good" values proper for your
application and rejects all other supplied values.

Here's an advisory for an example of the threat:
http://xforce.iss.net/xforce/xfdb/46061

Regards,

-Joe

Stephan Wehner wrote:
> Be sure to prevent open redirects by white listing the site's for which you need to allow redirects.
>   
>
> I lost you with this one. Do you mind explaining?
>
> Stephan
>
>   
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5547 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090116/cc60568d/attachment.p7s>


More information about the websecurity mailing list