[WEB SECURITY] How are you tackling CSRF?
pavol.luptak at nethemba.com
Sat Apr 30 13:26:20 EDT 2011
On Sun, Apr 24, 2011 at 04:10:33AM +0300, MustLive wrote:
> it at all, some don't do it reliably), nor WAFs can adequately protect
> against CSRF holes (the same as with scanners). Take into account that there
Is it still true? I guess that modern WAFs (commercial ones) are able to
add anti-CSRF tokens into all POST hidden fields (and probably also anti-CSRF
tokens to GET requests) and transparently remove them (after verification)
before sending them to the backend application. So it should be completely
transparent anti-CSRF solution even for completely CSRF vulnerable applications
(e.g. those ones which use session ID just in cookies with no CSRF protection).
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3609 bytes
Desc: not available
More information about the websecurity