[WEB SECURITY] How are you tackling CSRF?

Pavol Luptak pavol.luptak at nethemba.com
Sat Apr 30 13:26:20 EDT 2011


Hi,

On Sun, Apr 24, 2011 at 04:10:33AM +0300, MustLive wrote:
> it at all, some don't do it reliably), nor WAFs can adequately protect
> against CSRF holes (the same as with scanners). Take into account that there

Is it still true? I guess that modern WAFs (commercial ones) are able to 
add anti-CSRF tokens into all POST hidden fields (and probably also anti-CSRF 
tokens to GET requests) and transparently remove them (after verification)
before sending them to the backend application. So it should be completely 
transparent anti-CSRF solution even for completely CSRF vulnerable applications
(e.g. those ones which use session ID just in cookies with no CSRF protection).

Pavol
-- 
______________________________________________________________________________
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3609 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110430/9c4699a7/attachment.p7s>


More information about the websecurity mailing list