[WEB SECURITY] How are you tackling CSRF?

ramesh mv mvram03 at gmail.com
Tue May 3 08:12:09 EDT 2011


Hi Pavol,

Barracuda Web Application Firewall effectively blocks CSRF. You check the
configuration options in waf.barracuda.com.

Thank you,
Ramesh

On Tue, May 3, 2011 at 12:46 AM, MustLive <mustlive at websecurity.com.ua>wrote:

> Hi Pavol!
>
>
>  Is it still true? I guess that modern WAFs (commercial ones) are able to
>>
>
> It's from what I know :-) - I haven't heard about WAFs which can protect
> against CSRF (and it must be completely transparent). If there will be such
> WAFs which will be protecting against CSRF completely transparent and
> without creating of problems for correct work of the sites, then it'll be
> good solution for protecting all those multiple webapps which are vulnerable
> to CSRF (and there are a lot of them, as old as new ones, which partly or
> completely vulnerable to CSRF).
>
> Taking into account that it's hard task it'll be not easy to make such 100%
> transparent and 100% reliable WAF with CSRF protection (which must not only
> protect all requests, especially important ones, e.g. with tokens, but also
> automatically decided which places are important and where for example not
> needed to add tokens, carefully decide in case of GET requests, not overdo
> with tokens where it's not needed to not overload the server, etc.).
> Meanwhile the one and only reliable protection method - it's manually
> protecting against CSRF (by writing appropriate programming code).
>
> Besides, concerning CSRF topic - recently I wrote in my article "Attacks on
> unprotected login forms" (
> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html)
> also about CSRF attacks on login forms. It can be as direct CSRF attacks
> (e.g. for remote loginning), as for conducting of other attacks, such as XSS
> and Redirector (like in MyBB which I mentioned in the article).
>
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- From: "Pavol Luptak" <
> pavol.luptak at nethemba.com>
> To: "MustLive" <mustlive at websecurity.com.ua>
>
> Cc: <websecurity at lists.webappsec.org>
> Sent: Saturday, April 30, 2011 8:26 PM
> Subject: Re: [WEB SECURITY] How are you tackling CSRF?
>
>
>
> Hi,
>
> On Sun, Apr 24, 2011 at 04:10:33AM +0300, MustLive wrote:
>
>> it at all, some don't do it reliably), nor WAFs can adequately protect
>> against CSRF holes (the same as with scanners). Take into account that
>> there
>>
>
> Is it still true? I guess that modern WAFs (commercial ones) are able to
> add anti-CSRF tokens into all POST hidden fields (and probably also
> anti-CSRF
> tokens to GET requests) and transparently remove them (after verification)
> before sending them to the backend application. So it should be completely
> transparent anti-CSRF solution even for completely CSRF vulnerable
> applications
> (e.g. those ones which use session ID just in cookies with no CSRF
> protection).
>
> Pavol
> --
>
> ______________________________________________________________________________
> [Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel:
> +421905400542]
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110503/10a43787/attachment-0003.html>


More information about the websecurity mailing list