zoukankan      html  css  js  c++  java
  • CRSF Defense Using Content Injection Support By ModSecurity


    The most advanced and imaginative use of the content injection feature is that devised by
    Ryan C. Barnett, the ModSecurity Community Manager and author of the Core Rule Set. He
    established a way to use content injection to defend vulnerable applications against Cross-
    Site Request Forgery (CSRF) attacks, otherwise only possible through the modification of
    the source code of the vulnerable applications. (If you are not familiar with CSRF, I suggest
    that you read through the CSRF entry on Wikipedia [http://en.wikipedia.org/wiki/Crosssite_
    request_forgery].)
    The usual way to defend against CSRF is to embed special tokens into application forms, and
    accept only those submits that contain the correct token values. CSRF requests faced with such
    defenses always fail, because they have no way to “know” the correct token value.
    Ryan’s approach was to use content injection to inject JavaScript into all application pages,
    which is then used to modify all page forms to add tokens where they wouldn’t normally exist.
    In the second part of the trick, he would have ModSecurity rules inspect all POST requests to
    verify that they contain the correct values. Brilliant!
    For more information, look up Ryan’s Black Hat DC 2009 whitepaper WAF Virtual Patching
    Challenge: Securing WebGoat with ModSecurity. The 26-page document contains many other
    interesting techniques.

  • 相关阅读:
    ABAP中的‘多线程’
    SAP数据库表维护视图分配事务代码
    SAP调用外部数据库
    ABAP-小技巧/知识(1)
    sap中用函数增加断点(break point)
    把内表 itab1 的 n1 到 n2 行内容附加到 itab2 内表中去.
    ABAP打开TCODE
    查看用户下有那些事务码
    check、continue、exit的区别
    将excel数据导入内表的函数
  • 原文地址:https://www.cnblogs.com/wuweidong/p/8624927.html
Copyright © 2011-2022 走看看