WebApp Sec mailing list archives

Re: blocking CSRF attacks

From: makkalot () gmail com
Date: Thu, 13 Dec 2007 08:51:32 +0200

Tuesday 11 December 2007 Tarihinde 11:35:36 yazmıştı:

Hi List,

Hi :)

any one on the list aware of any IDS/IPS capable of blocking CSRF
attacks?

I dont think you need to block them with ids or ips.

If not, what will be the best policy to block CSRF.

It is actually a problem of your web framework or application you use. CSRF 
attacks use easy to guess URL'S. Therefore you shouldnt use GET for important 
tasks in your site. And also for POST requests you may use randomly generated 
hidden fields in your forms when you submit something. 

You may checkout that : http://www.owasp.org/index.php/CSRF




-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Current thread:

blocking CSRF attacks Pawan (Dec 12)
- Re: blocking CSRF attacks makkalot (Dec 14)
- Re: blocking CSRF attacks Jan Heisterkamp (Dec 14)
  - Re: blocking CSRF attacks Sverre H. Huseby (Dec 15)
- Re: blocking CSRF attacks Paul Johnston (Dec 15)
  - RE: blocking CSRF attacks Boaz Shunami (Dec 19)
- <Possible follow-ups>
- Re: blocking CSRF attacks Daniel Weber (Dec 14)
- Re: FW: blocking CSRF attacks Paul Johnston (Dec 19)
  - Re: FW: blocking CSRF attacks Martin Johns (Dec 22)
  - Re: FW: blocking CSRF attacks Amit Klein (Dec 22)
  - RE: FW: blocking CSRF attacks Boaz Shunami (Dec 22)