WebApp Sec mailing list archives

RE: blocking CSRF attacks

From: "Boaz Shunami" <BoazS () comsecglobal com>
Date: Tue, 18 Dec 2007 15:34:57 +0200

Hi,

Referrer can be spoofed; same goes for post and get requests, hence this
method will not be reliable as a security mechanism.
                             
Boaz Shunami

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Paul Johnston
Sent: Friday, December 14, 2007 8:57 PM
To: Pawan; webappsec () securityfocus com
Subject: Re: blocking CSRF attacks

Hi,

any one on the list aware of any IDS/IPS capable of blocking CSRF
attacks? 
If not, what will be the best policy to block CSRF.

The best fix is to code you application to include a random token on all

forms that cause an action, and validate this when the form is
submitted.

Now, I guess you're after a quick fix? One possibility is to block POST
requests that have a referer, and the referer is not from your domain.
I've not tried this, but I expect it would block most attacks without
interfering with legitimate traffic.

This does assume your pages that cause actions only respond to POST
requests, which may not be true in practice.

Paul

------------------------------------------------------------------------
-
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process? Download
this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be
considered a crucial phase in the development of any web application. What methodology should be followed? What tools
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Current thread:

blocking CSRF attacks Pawan (Dec 12)
- Re: blocking CSRF attacks makkalot (Dec 14)
- Re: blocking CSRF attacks Jan Heisterkamp (Dec 14)
  - Re: blocking CSRF attacks Sverre H. Huseby (Dec 15)
- Re: blocking CSRF attacks Paul Johnston (Dec 15)
  - RE: blocking CSRF attacks Boaz Shunami (Dec 19)
- <Possible follow-ups>
- Re: blocking CSRF attacks Daniel Weber (Dec 14)
- Re: FW: blocking CSRF attacks Paul Johnston (Dec 19)
  - Re: FW: blocking CSRF attacks Martin Johns (Dec 22)
  - Re: FW: blocking CSRF attacks Amit Klein (Dec 22)
  - RE: FW: blocking CSRF attacks Boaz Shunami (Dec 22)