[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] CSRF remedies in
- From: Ory Segal <SEGALORY@xxxxxxxxxx>
- Subject: Re: [WEB SECURITY] CSRF remedies in
- Date: Thu, 15 Jan 2009 09:23:30 +0200
--=_alternative 0028D96BC225753F_=
Content-Type: text/plain; charset="US-ASCII"
Hello,
Struts 2 seems to have some sort of a token interceptor that can be used
to protect against CSRF (tokenSessionInterceptor), you can find more
information on it here:
http://nickcoblentz.blogspot.com/2008/11/csrf-prevention-in-struts-2.html
-Ory
From:
Eric Rachner <eric@rachner.us>
To:
websecurity@webappsec.org
Date:
01/15/2009 02:32 AM
Subject:
[WEB SECURITY] CSRF remedies in
As most of us know, ASP.NET provides the ViewStateUserKey feature to
mitigate CSRF attacks. But as a primarily Microsoft-oriented guy, I'm not
personally aware of any equivalent solutions for use in other
environments, J2EE in particular, except of course for CSRFGuard.
Does anyone happen to know whether any web app development platforms other
than .NET provide CSRF mitigations like ViewStateUserKey?
Much obliged,
- Eric
--=_alternative 0028D96BC225753F_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">Hello,</font>
<br>
<br><font size=2 face="sans-serif">Struts 2 seems to have some sort of
a token interceptor that can be used to protect against CSRF (tokenSessionInterceptor),
you can find more information on it here: </font><a href="http://nickcoblentz.blogspot.com/2008/11/csrf-prevention-in-struts-2.html";><font size=2 face="sans-serif">http://nickcoblentz.blogspot.com/2008/11/csrf-prevention-in-struts-2.html</font></a>
<br>
<br><font size=2 face="sans-serif">-Ory</font>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">From:</font>
<td><font size=1 face="sans-serif">Eric Rachner <eric@rachner.us></font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font>
<td><font size=1 face="sans-serif">websecurity@webappsec.org</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font>
<td><font size=1 face="sans-serif">01/15/2009 02:32 AM</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font>
<td><font size=1 face="sans-serif">[WEB SECURITY] CSRF remedies in</font></table>
<br>
<hr noshade>
<br>
<br>
<br><font size=3>As most of us know, </font><a href=http://asp.net/><font size=3 color=blue><u>ASP.NET</u></font></a><font size=3>
provides the </font><a href="http://msdn.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx";><font size=3 color=blue><u>ViewStateUserKey</u></font></a><font size=3>
feature to mitigate CSRF attacks. But as a primarily Microsoft-oriented
guy, I'm not personally aware of any equivalent solutions for use in other
environments, J2EE in particular, except of course for </font><a href=http://www.owasp.org/index.php/CSRF_Guard><font size=3 color=blue><u>CSRFGuard</u></font></a><font size=3>.<br>
<br>
Does anyone happen to know whether any web app development platforms other
than .NET provide CSRF mitigations like ViewStateUserKey?<br>
<br>
Much obliged,<br>
<br>
- Eric<br>
</font>
<br>
<br>
--=_alternative 0028D96BC225753F_=--
Brought to you by http://www.webappsec.org
Search this site
|