[WEB SECURITY] How are you tackling CSRF?

MustLive mustlive at websecurity.com.ua
Mon May 2 15:16:22 EDT 2011

Hi Pavol!

> Is it still true? I guess that modern WAFs (commercial ones) are able to

It's from what I know :-) - I haven't heard about WAFs which can protect 
against CSRF (and it must be completely transparent). If there will be such 
WAFs which will be protecting against CSRF completely transparent and 
without creating of problems for correct work of the sites, then it'll be 
good solution for protecting all those multiple webapps which are vulnerable 
to CSRF (and there are a lot of them, as old as new ones, which partly or 
completely vulnerable to CSRF).

Taking into account that it's hard task it'll be not easy to make such 100% 
transparent and 100% reliable WAF with CSRF protection (which must not only 
protect all requests, especially important ones, e.g. with tokens, but also 
automatically decided which places are important and where for example not 
needed to add tokens, carefully decide in case of GET requests, not overdo 
with tokens where it's not needed to not overload the server, etc.). 
Meanwhile the one and only reliable protection method - it's manually 
protecting against CSRF (by writing appropriate programming code).

Besides, concerning CSRF topic - recently I wrote in my article "Attacks on 
unprotected login forms" 
also about CSRF attacks on login forms. It can be as direct CSRF attacks 
(e.g. for remote loginning), as for conducting of other attacks, such as XSS 
and Redirector (like in MyBB which I mentioned in the article).

Best wishes & regards,
Administrator of Websecurity web site

----- Original Message ----- 
From: "Pavol Luptak" <pavol.luptak at nethemba.com>
To: "MustLive" <mustlive at websecurity.com.ua>
Cc: <websecurity at lists.webappsec.org>
Sent: Saturday, April 30, 2011 8:26 PM
Subject: Re: [WEB SECURITY] How are you tackling CSRF?


On Sun, Apr 24, 2011 at 04:10:33AM +0300, MustLive wrote:
> it at all, some don't do it reliably), nor WAFs can adequately protect
> against CSRF holes (the same as with scanners). Take into account that 
> there

Is it still true? I guess that modern WAFs (commercial ones) are able to
add anti-CSRF tokens into all POST hidden fields (and probably also 
tokens to GET requests) and transparently remove them (after verification)
before sending them to the backend application. So it should be completely
transparent anti-CSRF solution even for completely CSRF vulnerable 
(e.g. those ones which use session ID just in cookies with no CSRF 

[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: 

More information about the websecurity mailing list