Re: [mod-security-users] Tokens?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Tokens?
|
From: Ivan R. <iv...@we...> - 2005-04-30 09:09:42
|
Christian Martorella wrote: > Hi, i was looking others Application firewalls and i saw that some of > them use tokens to sign forms or variables with a hash. Can you be more specific? What are they signing? The hidden fields, the names of the fields? > There are > plans to implement this on Mod_Security? or there is someone already > working on it? No. I am not convinced such feature would have significant value in real life. I can see how it can help in a specific case (e.g. when someone has an app with a hidden field that should never change). But I do not think it can work as a generic protection measure people can turn on and forget about it. In this day and age many applications are creating forms dynamically at runtime, and using JavaScript to change the values in the hidden fields. > P.S: I also noted that there is no TODO list, could be very interesting > to see what things are needed, or what are the people expecting from the > mod? :) I used to have a public TODO list but it was frequently out of sync. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
