You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Henrik Strand <he...@axis.com> on 2012/02/20 11:50:31 UTC
[users@httpd] Cross-Site Request Forgery
Hi,
What are your best practices against Cross-Site Request Forgery?
According to owasp.org a CSRFToken should be generated and added as a
hidden form value.
Does Apache Httpd support this out-of-the-box (incl. validation of the
token for each subsequent request until the session expires)?
Best Regards,
Henrik
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
AW: [users@httpd] Cross-Site Request Forgery
Posted by "Abfalterer, Armin" <Ar...@united-security-providers.ch>.
> Does anyone know of ANY web server that
> provides
> > CSRF protection at the web server level? I'm curious.
> >
Take a look at mod_security that provides CSRF prevention mechanism by means of JS injection.
Re: [users@httpd] Cross-Site Request Forgery
Posted by Tom Evans <te...@googlemail.com>.
On Mon, Feb 20, 2012 at 2:26 PM, Mark Montague <ma...@catseye.org> wrote:
> On the other hand, I could see providing CSRF protection at the web server
> level as being useful, since you then would not need to trust each web
> application author to both completely impelment CSRF protection and to
> implement it correctly. Does anyone know of ANY web server that provides
> CSRF protection at the web server level? I'm curious.
>
I'm not aware of one, but one could implement such a scheme in apache,
using mod_session as backend, an output filter detecting the start of
a form tag in responses, groking an internal location and auto
inserting the csrf token, and an input filter refusing POST requests
when the csrf token is not supplied or does not match that in the
session.
I think rewriting forms to insert csrf tokens is a bit 'eeurgh!' personally…
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Cross-Site Request Forgery
Posted by Mark Montague <ma...@catseye.org>.
On February 20, 2012 5:50 , Henrik Strand <he...@axis.com> wrote:
> What are your best practices against Cross-Site Request Forgery?
Use of a CSRF token as described on the OWASP page you lined in your
original message.
> Does Apache Httpd support this out-of-the-box (incl. validation of the
> token for each subsequent request until the session expires)?
No. I could argue that doing that a web server that did this would
violate the principal of least surprise for web applications and hence
be likely to cause problems: generally, web servers don't modify the
HTML that web applications generate, with a few specific exceptions (for
example, mod_proxy_html or mod_sed). A different question might be, are
there web application frameworks that automatically provide CSRF token
generation and validation for all web applications that use the
framework? Can you choose to write all of the applications that you run
and have them use such a framework? Or are you stuck running web
applications that other people have already written but which have CSRF
security vulnerabilities which the authors are unwilling or unable to fix?
On the other hand, I could see providing CSRF protection at the web
server level as being useful, since you then would not need to trust
each web application author to both completely impelment CSRF protection
and to implement it correctly. Does anyone know of ANY web server that
provides CSRF protection at the web server level? I'm curious.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org