The most advanced and imaginative use of the content injection feature is that devised by
Ryan C. Barnett, the ModSecurity Community Manager and author of the Core Rule Set. He
established a way to use content injection to defend vulnerable applications against Cross-
Site Request Forgery (CSRF) attacks, otherwise only possible through the modification of
the source code of the vulnerable applications. (If you are not familiar with CSRF, I suggest
that you read through the CSRF entry on Wikipedia [http://en.wikipedia.org/wiki/Crosssite_
request_forgery].)
The usual way to defend against CSRF is to embed special tokens into application forms, and
accept only those submits that contain the correct token values. CSRF requests faced with such
defenses always fail, because they have no way to “know” the correct token value.
Ryan’s approach was to use content injection to inject JavaScript into all application pages,
which is then used to modify all page forms to add tokens where they wouldn’t normally exist.
In the second part of the trick, he would have ModSecurity rules inspect all POST requests to
verify that they contain the correct values. Brilliant!
For more information, look up Ryan’s Black Hat DC 2009 whitepaper WAF Virtual Patching
Challenge: Securing WebGoat with ModSecurity. The 26-page document contains many other
interesting techniques.

CRSF Defense Using Content Injection Support By ModSecurity的更多相关文章

  1. ModSecurity web application firewall (WAF) Research

    catalog . 引言 . OWASP ModSecurity Core Rule Set (CRS) Project . Installation mod_security for Apache ...

  2. [security][modsecurity][nginx] nginx 与 modsecurity

    参考文档: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#installation-for-nginx nginx不支 ...

  3. OWIN support for the Web API 2 and MVC 5 integrations in Autofac

    Currently, in the both the Web API and MVC frameworks, dependency injection support does not come in ...

  4. Android support library支持包常用控件介绍(二)

    谷歌官方推出Material Design 设计理念已经有段时间了,为支持更方便的实现 Material Design设计效果,官方给出了Android support design library ...

  5. Property Injection in Asp.Net Core (转载)

    问: I am trying to port an asp.net application to asp.net core. I have property injection (using ninj ...

  6. Android Design Support Library概览

    尊重劳动成果.转载请注明出处:http://blog.csdn.net/growth58/article/details/47972467 关注新浪微博:@于卫国 邮箱:yuweiguocn@gmai ...

  7. 使用 Microsoft.Extensions.DependencyInjection 进行依赖注入

    没有 Autofac DryIoc Grace LightInject Lamar Stashbox Unity Ninject 的日子,才是好日子~~~~~~~~~~ Using .NET Core ...

  8. ASP.NET Core 中文文档 第四章 MVC(4.4)依赖注入和控制器

    原文: Dependency Injection and Controllers 作者: Steve Smith 翻译: 刘浩杨 校对: 孟帅洋(书缘) ASP.NET Core MVC 控制器应通过 ...

  9. MVC2,MVC3,MVC4和MVC5的不同

    现在MVC的技术日趋成熟,面对着不同版本的MVC大家不免有所迷惑 -- 它们之间有什么不同呢?下面我把我搜集的信息汇总一下,以便大家能更好的认识不同版本MVC的功能,也便于自己查阅. View Eng ...

随机推荐

  1. [poj 2480] Longge's problem 解题报告 (欧拉函数)

    题目链接:http://poj.org/problem?id=2480 题目大意: 题解: 我一直很欣赏数学题完美的复杂度 #include<cstring> #include<al ...

  2. OpenGL编程逐步深入(五)Uniform 变量

    准备知识 在这个教程中我们会遇到一种新的Shader变量类型,即uniform变量.attribute(属性)变量和uniform变量的不同之处在于attribute 变量中包含顶点的具体数据,当每次 ...

  3. CheckException和RuntimeException

    java文档中对RuntimeException的定义是: RuntimeException 是那些可能在 Java 虚拟机正常运行期间抛出的异常的超类. 可能在执行方法期间抛出但未被捕获的 Runt ...

  4. Orientdb基本操作

    https://blog.csdn.net/clj198606061111/article/details/82314459

  5. hadoop的mapReduce和Spark的shuffle过程的详解与对比及优化

    https://blog.csdn.net/u010697988/article/details/70173104 大数据的分布式计算框架目前使用的最多的就是hadoop的mapReduce和Spar ...

  6. Chromium Graphics: Graphics and Skia

    Graphics and Skia Chrome uses Skia for nearly all graphics operations, including text rendering. GDI ...

  7. CentOS7-1810 系统Samba配置说明

    Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件.SMB(Server Messages Block,信息服务块)通信协议是微软(Microsoft)和英特尔(Intel)在198 ...

  8. 移动端viewport解惑

    我们在做移动端webapp的时候需要设置这么一段: <meta name="viewport" content="width=device-width, initi ...

  9. poj 3613 Cow Relays(矩阵的图论意义)

    题解 用一个矩阵来表示一个图的边的存在性,即矩阵C[i,j]=1表示有一条从i到j的有向边C[i,j]=0表示没有从i到j的边.这个矩阵的k次方后C[i,j]就表示有多少条从i到j恰好经过k条边的路径 ...

  10. UVA10269 Adventure of Super Mario(Floyd+DP)

    UVA10269 Adventure of Super Mario(Floyd+DP) After rescuing the beautiful princess, Super Mario needs ...