Re: [mod-security-users] CSRF?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

From: Katharina Kurek [mailto:kk...@gm...]
Sent: Monday, May 04, 2009 10:12 AM
To: modsec-users
Subject: [mod-security-users] CSRF?

Hello,

I'm a student from the Univiersity of Bochum (Germany) and I am writing my masterthesis about Web Application Firewalls and Modsecurity for Prof. Schwenk at the "Lehrstuhl für Netz- und Datensicherheit".
I am about to find out which kind of attacks ModSecurity is able to prevent and I have a few questions:
1.On the OWASP homepage Modsecurity is mentioned as an "well-known" WAF in connection with the "OWASP top ten".
I tried to find out how Modsecurity prevents CSRF attacks but I was not successful?
Is there another method except for something based on HTTP referer (which is spoofable actually)?
[Ryan Barnett] I gave a talk at the recent Blackhat Federal conference and I presented a method for CSRF token usage with ModSecurity's Content Injection feature - http://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.html#Barnett.

2.Does ModSecurity support Cookie encryption?
3.Does ModSecurity support URL encryption?
I was not able to find out anything about that expect that link : http://www.modsecurity.org/blog/archives/2006/08/modsecurity_coo.html
It is about a patch which I also couln'd find on the web.
[Ryan Barnett] You can find the patch listed here - http://article.gmane.org/gmane.comp.apache.mod-security.user/1733.  Keep in mind that this was written for an older version 1.9.4.

I would be very happy if you could help me in this case.
Thank you very much!