[Owasp-leaders] Protecting Django apps from CSRF
Matt Tesauro
matt.tesauro at owasp.org
Wed May 29 02:06:56 UTC 2013
My apologies for the delayed response - I got buried with some work items.
Just wanted to thank all those that replied to my query - I got some great
replies from the list which is one of the cool things about hanging out
with this community.
Thanks!
--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
On Fri, May 17, 2013 at 8:19 AM, Martin Holst Swende <
martin.holst_swende at owasp.org> wrote:
> On 05/16/2013 05:53 PM, Matt Tesauro wrote:
>
> While I'm up to my ears with Python at Rackspace & with OpenStack, I've
> not used Django for any of the code I've written recently - or actually
> ever.
>
> I'm got an app which is basically using the Django CSRF protection as
> outlined here:
> https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
> for both "normal" web forms as well as AJAX calls.
>
> I'm curious about anyone's experience with the Django CSRF protection,
> how well it works and any "gotchas", weakness or other issues with Django's
> CSRF protection.
>
>
> It accepts any value for csrf_token, if it comes in both cookie and form
> (double submit).
>
> Gotchas :
> This means that a XSS in a sibling or child-domain is a security hole,
> since that can be used to set cookies.
> - *But* it also checks referer, so that won't work.
> - *However*, referer is fragile on http-sites (since https wont send
> referer), so that part is disabled by default if the site is served over
> http.
>
> So, if the site is https-only, as I understand it it's quite ok. Less so
> on http-sites. Please correct me if I'm wrong.
> /Martin Swende
>
>
>
> List or direct replies appreciated.
>
> Thanks in advance.
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130528/a215b5c7/attachment-0001.html>
More information about the OWASP-Leaders
mailing list