[WEB SECURITY] How are you tackling CSRF?

ramesh mv mvram03 at gmail.com
Tue May 3 08:12:09 EDT 2011

Hi Pavol,

Barracuda Web Application Firewall effectively blocks CSRF. You check the
configuration options in waf.barracuda.com.

Thank you,

On Tue, May 3, 2011 at 12:46 AM, MustLive <mustlive at websecurity.com.ua>wrote:

> Hi Pavol!
>  Is it still true? I guess that modern WAFs (commercial ones) are able to
> It's from what I know :-) - I haven't heard about WAFs which can protect
> against CSRF (and it must be completely transparent). If there will be such
> WAFs which will be protecting against CSRF completely transparent and
> without creating of problems for correct work of the sites, then it'll be
> good solution for protecting all those multiple webapps which are vulnerable
> to CSRF (and there are a lot of them, as old as new ones, which partly or
> completely vulnerable to CSRF).
> Taking into account that it's hard task it'll be not easy to make such 100%
> transparent and 100% reliable WAF with CSRF protection (which must not only
> protect all requests, especially important ones, e.g. with tokens, but also
> automatically decided which places are important and where for example not
> needed to add tokens, carefully decide in case of GET requests, not overdo
> with tokens where it's not needed to not overload the server, etc.).
> Meanwhile the one and only reliable protection method - it's manually
> protecting against CSRF (by writing appropriate programming code).
> Besides, concerning CSRF topic - recently I wrote in my article "Attacks on
> unprotected login forms" (
> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html)
> also about CSRF attacks on login forms. It can be as direct CSRF attacks
> (e.g. for remote loginning), as for conducting of other attacks, such as XSS
> and Redirector (like in MyBB which I mentioned in the article).
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> ----- Original Message ----- From: "Pavol Luptak" <
> pavol.luptak at nethemba.com>
> To: "MustLive" <mustlive at websecurity.com.ua>
> Cc: <websecurity at lists.webappsec.org>
> Sent: Saturday, April 30, 2011 8:26 PM
> Subject: Re: [WEB SECURITY] How are you tackling CSRF?
> Hi,
> On Sun, Apr 24, 2011 at 04:10:33AM +0300, MustLive wrote:
>> it at all, some don't do it reliably), nor WAFs can adequately protect
>> against CSRF holes (the same as with scanners). Take into account that
>> there
> Is it still true? I guess that modern WAFs (commercial ones) are able to
> add anti-CSRF tokens into all POST hidden fields (and probably also
> anti-CSRF
> tokens to GET requests) and transparently remove them (after verification)
> before sending them to the backend application. So it should be completely
> transparent anti-CSRF solution even for completely CSRF vulnerable
> applications
> (e.g. those ones which use session ID just in cookies with no CSRF
> protection).
> Pavol
> --
> ______________________________________________________________________________
> [Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel:
> +421905400542]
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110503/10a43787/attachment-0003.html>

More information about the websecurity mailing list