[Owasp-csrfprotector] protection for GET requests

Minhaz A V minhazav at gmail.com
Sun May 25 22:51:11 UTC 2014


Also this would require us to rewrite only requests (in case of GET) which
are sent to these urls be rewritten,  or we rewrite every url as having an
extra parameter in the request url won't be harmful (but I guess that would
be a very bad practise)

For this we need to pass the logic to js also, so that it identifies which
request to rewrite, any simple idea on how to do this?


Minhaz,
minhaz.cistoner.org || cistoner.org


On Mon, May 26, 2014 at 4:15 AM, Minhaz A V <minhazav at gmail.com> wrote:

> Yeah this is a better idea, rather than implementing the logic directly
> into the validation code,
> we can provide a function which can be overridden by user defined
> function. In basic method we can provide mechanism that is in our scope i.e
> to map the current request url with all mentioned in array of urls to be
> validated.
>
>
> Minhaz,
> minhaz.cistoner.org || cistoner.org
>
>
> On Mon, May 26, 2014 at 4:05 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> What if the application uses dynamic URLs? What if it has so many URLs
>> that need to be verified, and only one not to be verified?
>>
>> We can expect the develoepr to create a function that receives a URL, and
>> returns true if it needs to be CSRF protected and false otherwise, and then
>> use that function to decide what to do.
>>
>> A list can easily be implemented using that as well.
>> -A
>>      ______________________________________________________________
>> *Notice:* This message is *digitally signed*, its *source* and
>> *integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display
>> a file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com
>>
>> On May 25, 2014, at 6:34 PM, Minhaz A V <minhazav at gmail.com> wrote:
>>
>> Abbas, I couldn't get you?
>>
>>
>>
>> Minhaz,
>> minhaz.cistoner.org || cistoner.org
>>
>>
>> On Mon, May 26, 2014 at 3:59 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>>
>>> A list is not the best idea, but a function that returns true or false
>>> and is implemented by the developer is a totally different story!
>>> -A
>>>      ______________________________________________________________
>>> *Notice:* This message is *digitally signed*, its *source* and
>>> *integrity* are verifiable.
>>> If you mail client does not support S/MIME verification, it will display
>>> a file (smime.p7s), which includes the X.509 certificate and the signature
>>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>> AbiusX.com <http://abiusx.com/>
>>>
>>> On May 25, 2014, at 6:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>> What if we keep a list of specific urls for which developer want to
>>> check for CSRF validation in GET requests, this would create no false
>>> positive or false negative. As GET requests to only certain urls can be
>>> vulnerable. If developer can identify this, we can map every host url in
>>> request, with list the developer has maintained and provide validation for
>>> those only. But this will complicate the logic to certain extend, but we
>>> can implement this!
>>>
>>>
>>> Great idea, I like it.
>>> - Jim
>>>
>>>
>>>
>>> Minhaz,
>>> minhaz.cistoner.org || cistoner.org
>>>
>>> _______________________________________________
>>> Owasp-csrfprotector mailing list
>>> Owasp-csrfprotector at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector
>>>
>>> _______________________________________________
>>> Owasp-csrfprotector mailing list
>>> Owasp-csrfprotector at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector
>>>
>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfprotector/attachments/20140526/f009aefb/attachment.html>


More information about the Owasp-csrfprotector mailing list