[WEB SECURITY] How are you tackling CSRF?

Andre Van Klaveren andre at vanklaverens.com
Tue May 3 22:15:24 EDT 2011


Just remember to keep it on and active!  ;)



On Tue, May 3, 2011 at 7:12 AM, ramesh mv <mvram03 at gmail.com> wrote:

> Hi Pavol,
>
> Barracuda Web Application Firewall effectively blocks CSRF. You check the
> configuration options in waf.barracuda.com.
>
> Thank you,
> Ramesh
>
> On Tue, May 3, 2011 at 12:46 AM, MustLive <mustlive at websecurity.com.ua>wrote:
>
>> Hi Pavol!
>>
>>
>>  Is it still true? I guess that modern WAFs (commercial ones) are able to
>>>
>>
>> It's from what I know :-) - I haven't heard about WAFs which can protect
>> against CSRF (and it must be completely transparent). If there will be such
>> WAFs which will be protecting against CSRF completely transparent and
>> without creating of problems for correct work of the sites, then it'll be
>> good solution for protecting all those multiple webapps which are vulnerable
>> to CSRF (and there are a lot of them, as old as new ones, which partly or
>> completely vulnerable to CSRF).
>>
>> Taking into account that it's hard task it'll be not easy to make such
>> 100% transparent and 100% reliable WAF with CSRF protection (which must not
>> only protect all requests, especially important ones, e.g. with tokens, but
>> also automatically decided which places are important and where for example
>> not needed to add tokens, carefully decide in case of GET requests, not
>> overdo with tokens where it's not needed to not overload the server, etc.).
>> Meanwhile the one and only reliable protection method - it's manually
>> protecting against CSRF (by writing appropriate programming code).
>>
>> Besides, concerning CSRF topic - recently I wrote in my article "Attacks
>> on unprotected login forms" (
>> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html)
>> also about CSRF attacks on login forms. It can be as direct CSRF attacks
>> (e.g. for remote loginning), as for conducting of other attacks, such as XSS
>> and Redirector (like in MyBB which I mentioned in the article).
>>
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>>
>> ----- Original Message ----- From: "Pavol Luptak" <
>> pavol.luptak at nethemba.com>
>> To: "MustLive" <mustlive at websecurity.com.ua>
>>
>> Cc: <websecurity at lists.webappsec.org>
>> Sent: Saturday, April 30, 2011 8:26 PM
>> Subject: Re: [WEB SECURITY] How are you tackling CSRF?
>>
>>
>>
>> Hi,
>>
>> On Sun, Apr 24, 2011 at 04:10:33AM +0300, MustLive wrote:
>>
>>> it at all, some don't do it reliably), nor WAFs can adequately protect
>>> against CSRF holes (the same as with scanners). Take into account that
>>> there
>>>
>>
>> Is it still true? I guess that modern WAFs (commercial ones) are able to
>> add anti-CSRF tokens into all POST hidden fields (and probably also
>> anti-CSRF
>> tokens to GET requests) and transparently remove them (after verification)
>> before sending them to the backend application. So it should be completely
>> transparent anti-CSRF solution even for completely CSRF vulnerable
>> applications
>> (e.g. those ones which use session ID just in cookies with no CSRF
>> protection).
>>
>> Pavol
>> --
>>
>> ______________________________________________________________________________
>> [Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel:
>> +421905400542]
>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110503/783d8444/attachment-0003.html>


More information about the websecurity mailing list