The most advanced and imaginative use of the content injection feature is that devised by
Ryan C. Barnett, the ModSecurity Community Manager and author of the Core Rule Set. He
established a way to use content injection to defend vulnerable applications against Cross-
Site Request Forgery (CSRF) attacks, otherwise only possible through the modification of
the source code of the vulnerable applications. (If you are not familiar with CSRF, I suggest
that you read through the CSRF entry on Wikipedia [http://en.wikipedia.org/wiki/Crosssite_
request_forgery].)
The usual way to defend against CSRF is to embed special tokens into application forms, and
accept only those submits that contain the correct token values. CSRF requests faced with such
defenses always fail, because they have no way to “know” the correct token value.
Ryan’s approach was to use content injection to inject JavaScript into all application pages,
which is then used to modify all page forms to add tokens where they wouldn’t normally exist.
In the second part of the trick, he would have ModSecurity rules inspect all POST requests to
verify that they contain the correct values. Brilliant!
For more information, look up Ryan’s Black Hat DC 2009 whitepaper WAF Virtual Patching
Challenge: Securing WebGoat with ModSecurity. The 26-page document contains many other
interesting techniques.

CRSF Defense Using Content Injection Support By ModSecurity的更多相关文章

  1. ModSecurity web application firewall (WAF) Research

    catalog . 引言 . OWASP ModSecurity Core Rule Set (CRS) Project . Installation mod_security for Apache ...

  2. [security][modsecurity][nginx] nginx 与 modsecurity

    参考文档: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#installation-for-nginx nginx不支 ...

  3. OWIN support for the Web API 2 and MVC 5 integrations in Autofac

    Currently, in the both the Web API and MVC frameworks, dependency injection support does not come in ...

  4. Android support library支持包常用控件介绍(二)

    谷歌官方推出Material Design 设计理念已经有段时间了,为支持更方便的实现 Material Design设计效果,官方给出了Android support design library ...

  5. Property Injection in Asp.Net Core (转载)

    问: I am trying to port an asp.net application to asp.net core. I have property injection (using ninj ...

  6. Android Design Support Library概览

    尊重劳动成果.转载请注明出处:http://blog.csdn.net/growth58/article/details/47972467 关注新浪微博:@于卫国 邮箱:yuweiguocn@gmai ...

  7. 使用 Microsoft.Extensions.DependencyInjection 进行依赖注入

    没有 Autofac DryIoc Grace LightInject Lamar Stashbox Unity Ninject 的日子,才是好日子~~~~~~~~~~ Using .NET Core ...

  8. ASP.NET Core 中文文档 第四章 MVC(4.4)依赖注入和控制器

    原文: Dependency Injection and Controllers 作者: Steve Smith 翻译: 刘浩杨 校对: 孟帅洋(书缘) ASP.NET Core MVC 控制器应通过 ...

  9. MVC2,MVC3,MVC4和MVC5的不同

    现在MVC的技术日趋成熟,面对着不同版本的MVC大家不免有所迷惑 -- 它们之间有什么不同呢?下面我把我搜集的信息汇总一下,以便大家能更好的认识不同版本MVC的功能,也便于自己查阅. View Eng ...

随机推荐

  1. 一天一个算法:求Sn=a+aa+aaa+…+aa…a之和

    /* 求Sn=a+aa+aaa+…+aa…a之值,其中a是一个数字. 例如:2+22+222+…+22222(此时n=5),n由键盘输入.*/ void Function3() { int a,n,s ...

  2. 谈谈Vim中实用又好记的一些命令

      本文的目的在于总结一些日常操作中比较实用.有规律的Vim命令,而不致于介绍一些基础的Vim知识,比如几种插入模式,hjkl移动命令,dd删除本行,p粘贴 等等,故对Vim基本知识不够熟悉的请参见其 ...

  3. bzoj3252: 攻略 优先队列 并查集 贪心

    考场上自己yy出来的做法..... Code: #include<cstdio> #include<algorithm> #include<queue> #incl ...

  4. 由防止表单重复提交引发的一系列问题--servletRequest的复制、body值的获取

    @Time:2019年1月4日 16:19:19 @Author:QGuo   背景:最开始打算写个防止表单重复提交的拦截器:网上见到一种不错的方式,比较合适前后端分离,校验在后台实现: 我在此基础上 ...

  5. [TJOI2017]城市(树的直径)

    [TJOI2017]城市 题目描述 从加里敦大学城市规划专业毕业的小明来到了一个地区城市规划局工作.这个地区一共有ri座城市,<-1条高速公路,保证了任意两运城市之间都可以通过高速公路相互可达, ...

  6. P3168 [CQOI2015]任务查询系统(主席树)

    题目描述 最近实验室正在为其管理的超级计算机编制一套任务管理系统,而你被安排完成其中的查询部分.超级计算机中的任务用三元组(Si,Ei,Pi)描述,(Si,Ei,Pi)表示任务从第Si秒开始,在第Ei ...

  7. 第三讲 $\mathbb{R}^4$上平凡主丛的联络、曲率与Yang-Mills泛函

    一. $\mathbb{R}^4$或$\mathbb{R}^n$上平凡主丛的联络与曲率$\newcommand{\R}{\mathbb{R}}$ 回忆切丛$T\R^n\cong \R^n\times\ ...

  8. 【SRM 717 div2 B】LexmaxReplace

    Problem Statement Alice has a string s of lowercase letters. The string is written on a wall. Alice ...

  9. 炜煌E30 E31微型热敏打印机 STM32 串口驱动

    设置为汉字模式 十六进制 命令:1C    26 USART_SendData(USART2,0x1C); while(USART_GetFlagStatus(USART2,USART_FLAG_TC ...

  10. android动画-拖动

    先上图看效果 实质上说是动画有点不妥,确切的说应该是手势的处理,废话不多说看代码 SimpleDragSample.java public class SimpleDragSample extends ...