Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: blocking CSRF attacks

from [Boaz Shunami] Network Security [Permanent Link]
Subject: RE: blocking CSRF attacks
Date: Tue, 18 Dec 2007 15:34:57 +0200 
Hi,

Referrer can be spoofed; same goes for post and get requests, hence this
method will not be reliable as a security mechanism.
                             
Boaz Shunami

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Paul Johnston
Sent: Friday, December 14, 2007 8:57 PM
To: Pawan; webappsec@securityfocus.com
Subject: Re: blocking CSRF attacks

Hi,


any one on the list aware of any IDS/IPS capable of blocking CSRF
attacks? 
If not, what will be the best policy to block CSRF.
 


The best fix is to code you application to include a random token on all

forms that cause an action, and validate this when the form is
submitted.

Now, I guess you're after a quick fix? One possibility is to block POST 
requests that have a referer, and the referer is not from your domain. 
I've not tried this, but I expect it would block most attacks without 
interfering with legitimate traffic.

This does assume your pages that cause actions only respond to POST 
requests, which may not be true in practice.

Paul

------------------------------------------------------------------------
-
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process? Download
this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential. 
They are intended for the 
named recipient(s) only.
If you have received this email in error, please notify the system manager or 
the sender immediately and do 
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web 
application security assessments should be considered a crucial phase in the 
development of any web application. What methodology should be followed? What 
tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: FW: blocking CSRF attacks, Paul Johnston
Next by Date:  Re: FW: blocking CSRF attacks, Martin Johns
Previous by Thread:  Re: blocking CSRF attacks, Paul Johnston
Next by Thread:  Re: blocking CSRF attacks, Daniel Weber
Indexes:  [Date] [Thread] [Top] [All Lists]