The most advanced and imaginative use of the content injection feature is that devised by
Ryan C. Barnett, the ModSecurity Community Manager and author of the Core Rule Set. He
established a way to use content injection to defend vulnerable applications against Cross-
Site Request Forgery (CSRF) attacks, otherwise only possible through the modification of
the source code of the vulnerable applications. (If you are not familiar with CSRF, I suggest
that you read through the CSRF entry on Wikipedia [http://en.wikipedia.org/wiki/Crosssite_
request_forgery].)
The usual way to defend against CSRF is to embed special tokens into application forms, and
accept only those submits that contain the correct token values. CSRF requests faced with such
defenses always fail, because they have no way to “know” the correct token value.
Ryan’s approach was to use content injection to inject JavaScript into all application pages,
which is then used to modify all page forms to add tokens where they wouldn’t normally exist.
In the second part of the trick, he would have ModSecurity rules inspect all POST requests to
verify that they contain the correct values. Brilliant!
For more information, look up Ryan’s Black Hat DC 2009 whitepaper WAF Virtual Patching
Challenge: Securing WebGoat with ModSecurity. The 26-page document contains many other
interesting techniques.

CRSF Defense Using Content Injection Support By ModSecurity的更多相关文章

  1. ModSecurity web application firewall (WAF) Research

    catalog . 引言 . OWASP ModSecurity Core Rule Set (CRS) Project . Installation mod_security for Apache ...

  2. [security][modsecurity][nginx] nginx 与 modsecurity

    参考文档: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#installation-for-nginx nginx不支 ...

  3. OWIN support for the Web API 2 and MVC 5 integrations in Autofac

    Currently, in the both the Web API and MVC frameworks, dependency injection support does not come in ...

  4. Android support library支持包常用控件介绍(二)

    谷歌官方推出Material Design 设计理念已经有段时间了,为支持更方便的实现 Material Design设计效果,官方给出了Android support design library ...

  5. Property Injection in Asp.Net Core (转载)

    问: I am trying to port an asp.net application to asp.net core. I have property injection (using ninj ...

  6. Android Design Support Library概览

    尊重劳动成果.转载请注明出处:http://blog.csdn.net/growth58/article/details/47972467 关注新浪微博:@于卫国 邮箱:yuweiguocn@gmai ...

  7. 使用 Microsoft.Extensions.DependencyInjection 进行依赖注入

    没有 Autofac DryIoc Grace LightInject Lamar Stashbox Unity Ninject 的日子,才是好日子~~~~~~~~~~ Using .NET Core ...

  8. ASP.NET Core 中文文档 第四章 MVC(4.4)依赖注入和控制器

    原文: Dependency Injection and Controllers 作者: Steve Smith 翻译: 刘浩杨 校对: 孟帅洋(书缘) ASP.NET Core MVC 控制器应通过 ...

  9. MVC2,MVC3,MVC4和MVC5的不同

    现在MVC的技术日趋成熟,面对着不同版本的MVC大家不免有所迷惑 -- 它们之间有什么不同呢?下面我把我搜集的信息汇总一下,以便大家能更好的认识不同版本MVC的功能,也便于自己查阅. View Eng ...

随机推荐

  1. POJ 2528 线段树

    坑: 这道题的坐标轴跟普通的坐标轴是不一样的-- 此题的坐标轴 标号是在中间的-- 线段树建树的时候就不用[l,mid][mid,r]了(这样是错的) 直接[l,mid][mid+1,r]就OK了 D ...

  2. POJ 3122 Pie 二分答案

    题意:给你n个派,每个派都是高为一的圆柱体,把它等分成f份,每份的最大体积是多少. 思路: 明显的二分答案题-- 注意π的取值- 3.14159265359 这样才能AC,,, //By Sirius ...

  3. angular route 与 django urls 冲突怎么解决?

    app.js var app = angular.module('app', [ 'ngResource', 'ngRoute', // 'ui.bootstrap', // 'ngResource' ...

  4. PostgreSQL Replication之第二章 理解PostgreSQL的事务日志(2)

    2.2 XLOG和复制 在本章中,您已经了解到PostgreSQL的事务日志已经对数据库做了所有的更改.事务日志本身被打包为易用的16MB段. 使用这种更改集来复制数据的想法是不牵强的.事实上,这是在 ...

  5. C#中Dictionary排序方式

    转载自:https://www.cnblogs.com/5696-an/p/5625142.html 自定义类: https://files.cnblogs.com/files/xunhanliu/d ...

  6. Linux 下安装 redis 详情

    一:将redis 压缩包上传到 Linux  usr/local下 (一):在local 下创建一个 redis 目录 (二):上传redis压缩包到此目录下. 二:Linux 进入 local目录下 ...

  7. 说说Kindle那些事

    已经不记得是什么时候在哪里听过kindle这玩意的了,反正最开始买kindle还是大四上学期,貌似是2012-9-30,那时候是整个大学最闲的时候,不知道哪天闲的蛋疼一冲动就买了个kindle4黑色款 ...

  8. tload---显示系统负载

    tload命令以图形化的方式输出当前系统的平均负载到指定的终端.假设不给予终端机编号,则会在执行tload指令的终端机显示负载情形. 语法 tload(选项)(参数) 选项 -s:指定闲时的刻度: - ...

  9. Spring可扩展Schema标签

    基于Spring可扩展Schema提供自己定义配置支持 http://blog.csdn.net/cutesource/article/details/5864562 WARN : org.sprin ...

  10. Codeforces Round #337 (Div. 2) 610C Harmony Analysis(脑洞)

    C. Harmony Analysis time limit per test 3 seconds memory limit per test 256 megabytes input standard ...