[Owasp-leaders] OWASP CSRF Guard Project Question

Jason Li jason.li at owasp.org
Wed Nov 14 14:53:45 UTC 2012


The issue is not clear from the description of his issue. There could be
many reasons it's not working for him. The project is meant to protect
websites, not web services - as a result, the primary tools provided by
CSRF Guard to include a CSRF token are geared towards websites.

It's not clear from the question if the person is receiving a correct
service response but simply with a modified content type header, or if the
response is receiving is due to an error or landing page created by CSRF
Guard. If the service request is not properly including the CSRF token, the
resulting error page will come back as an text/html response. Another
possibility is that there is a feature to create a landing page for
requests without a CSRF token. That page is not enabled by default, but it
most certainly results in a text/html response.

-Jason

On Wed, Nov 14, 2012 at 9:03 AM, Samantha Groves
<samantha.groves at owasp.org>wrote:

> Hello Leaders,
>
> I am hoping you can offer some assistance to Mr. Shanmugaraja. He has a
> question regarding the OWASP CSRF Guard Project. Please refer to the
> message below:
>
> ----------------
> We have a web application in which we are implementing OWASP CSRF Guard
> Project. In the same application we have SOAP based web services. We have
> the URL of the Web Service Endpoint in the unprotected list. When the end
> point is accessed by the consumer the response is txt/html instead
> of txt/xml. How could we handle this? Your response is highly appreciated.
> ----------------
>
> Thank you for your assistance with this query, Leaders.
>
>
> --
>
> *Samantha Groves, MBA*****
>
> *OWASP Project Manager*
>
> *
> *
>
> The OWASP Foundation
>
> London, United Kingdom
>
> Email: samantha.groves at owasp.org
>
> Skype: samanthahz
>
>
> Book a Meeting with Me <http://goo.gl/mZXdZ>
>
> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>
> New Project Application Form<https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHZfWGhHZ0Z4UFFwZU42djBXcVVLSlE6MQ#gid=0>
>
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121114/26397394/attachment-0001.html>


More information about the OWASP-Leaders mailing list