[Owasp-csrfguard] Django and Ruby on Rails Mimic CSRFGuard

Eric Sheridan eric.sheridan at owasp.org
Thu Feb 10 13:39:56 EST 2011


List,

I read an article last night about how Django and Ruby on Rails CSRF
protections for Ajax requests were found broken. Attackers could forge
the headers through a combination of browser plugins and redirects.
Their fix? Implement the CSRF protection token in a custom HTTP header
for all Ajax requests - this is what CSRFGuard already does! I was a
little ornery about the subject last night resulting in an amusing blog
post:

http://ericsheridan.blogspot.com/2011/02/hey-django-and-ror-how-about-some.html

If you know anyone using CSRFGuard or using it as a reference
implementation, please let me know! I'd like to have the main page list
companies/users using the product.

As always, I am in need of testing for the 3.0 release. Drop me a line
if you have feedback!

-Eric


More information about the Owasp-csrfguard mailing list