[Owasp-leaders] Protecting Django apps from CSRF

Matt Tesauro matt.tesauro at owasp.org
Wed May 29 02:06:56 UTC 2013


My apologies for the delayed response - I got buried with some work items.

Just wanted to thank all those that replied to my query - I got some great
replies from the list which is one of the cool things about hanging out
with this community.

Thanks!

--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project


On Fri, May 17, 2013 at 8:19 AM, Martin Holst Swende <
martin.holst_swende at owasp.org> wrote:

>  On 05/16/2013 05:53 PM, Matt Tesauro wrote:
>
>  While I'm up to my ears with Python at Rackspace & with OpenStack, I've
> not used Django for any of the code I've written recently - or actually
> ever.
>
>  I'm got an  app which is basically using the Django CSRF protection as
> outlined here:
> https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
>  for both "normal" web forms as well as AJAX calls.
>
>  I'm curious about anyone's experience with the Django CSRF protection,
> how well it works and any "gotchas", weakness or other issues with Django's
> CSRF protection.
>
>
> It accepts any value for csrf_token, if it comes in both cookie and form
> (double submit).
>
> Gotchas :
> This means that a XSS in a sibling or child-domain is a security hole,
> since that can be used to set cookies.
> - *But* it also checks referer, so that won't work.
> - *However*, referer is fragile on http-sites (since https wont send
> referer), so that part is disabled by default if the site is served over
> http.
>
> So, if the site is https-only, as I understand it it's quite ok. Less so
> on http-sites. Please correct me if I'm wrong.
> /Martin Swende
>
>
>
>  List or direct replies appreciated.
>
>  Thanks in advance.
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130528/a215b5c7/attachment-0001.html>


More information about the OWASP-Leaders mailing list