Re: [mod-security-users] CSRF?
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Rya...@br...> - 2009-05-04 14:31:30
|
From: Katharina Kurek [mailto:kk...@gm...] Sent: Monday, May 04, 2009 10:12 AM To: modsec-users Subject: [mod-security-users] CSRF? Hello, I'm a student from the Univiersity of Bochum (Germany) and I am writing my masterthesis about Web Application Firewalls and Modsecurity for Prof. Schwenk at the "Lehrstuhl für Netz- und Datensicherheit". I am about to find out which kind of attacks ModSecurity is able to prevent and I have a few questions: 1.On the OWASP homepage Modsecurity is mentioned as an "well-known" WAF in connection with the "OWASP top ten". I tried to find out how Modsecurity prevents CSRF attacks but I was not successful? Is there another method except for something based on HTTP referer (which is spoofable actually)? [Ryan Barnett] I gave a talk at the recent Blackhat Federal conference and I presented a method for CSRF token usage with ModSecurity's Content Injection feature - http://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.html#Barnett. 2.Does ModSecurity support Cookie encryption? 3.Does ModSecurity support URL encryption? I was not able to find out anything about that expect that link : http://www.modsecurity.org/blog/archives/2006/08/modsecurity_coo.html It is about a patch which I also couln'd find on the web. [Ryan Barnett] You can find the patch listed here - http://article.gmane.org/gmane.comp.apache.mod-security.user/1733. Keep in mind that this was written for an older version 1.9.4. I would be very happy if you could help me in this case. Thank you very much! |