The most advanced and imaginative use of the content injection feature is that devised by
Ryan C. Barnett, the ModSecurity Community Manager and author of the Core Rule Set. He
established a way to use content injection to defend vulnerable applications against Cross-
Site Request Forgery (CSRF) attacks, otherwise only possible through the modification of
the source code of the vulnerable applications. (If you are not familiar with CSRF, I suggest
that you read through the CSRF entry on Wikipedia [http://en.wikipedia.org/wiki/Crosssite_
request_forgery].)
The usual way to defend against CSRF is to embed special tokens into application forms, and
accept only those submits that contain the correct token values. CSRF requests faced with such
defenses always fail, because they have no way to “know” the correct token value.
Ryan’s approach was to use content injection to inject JavaScript into all application pages,
which is then used to modify all page forms to add tokens where they wouldn’t normally exist.
In the second part of the trick, he would have ModSecurity rules inspect all POST requests to
verify that they contain the correct values. Brilliant!
For more information, look up Ryan’s Black Hat DC 2009 whitepaper WAF Virtual Patching
Challenge: Securing WebGoat with ModSecurity. The 26-page document contains many other
interesting techniques.

CRSF Defense Using Content Injection Support By ModSecurity的更多相关文章

  1. ModSecurity web application firewall (WAF) Research

    catalog . 引言 . OWASP ModSecurity Core Rule Set (CRS) Project . Installation mod_security for Apache ...

  2. [security][modsecurity][nginx] nginx 与 modsecurity

    参考文档: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#installation-for-nginx nginx不支 ...

  3. OWIN support for the Web API 2 and MVC 5 integrations in Autofac

    Currently, in the both the Web API and MVC frameworks, dependency injection support does not come in ...

  4. Android support library支持包常用控件介绍(二)

    谷歌官方推出Material Design 设计理念已经有段时间了,为支持更方便的实现 Material Design设计效果,官方给出了Android support design library ...

  5. Property Injection in Asp.Net Core (转载)

    问: I am trying to port an asp.net application to asp.net core. I have property injection (using ninj ...

  6. Android Design Support Library概览

    尊重劳动成果.转载请注明出处:http://blog.csdn.net/growth58/article/details/47972467 关注新浪微博:@于卫国 邮箱:yuweiguocn@gmai ...

  7. 使用 Microsoft.Extensions.DependencyInjection 进行依赖注入

    没有 Autofac DryIoc Grace LightInject Lamar Stashbox Unity Ninject 的日子,才是好日子~~~~~~~~~~ Using .NET Core ...

  8. ASP.NET Core 中文文档 第四章 MVC(4.4)依赖注入和控制器

    原文: Dependency Injection and Controllers 作者: Steve Smith 翻译: 刘浩杨 校对: 孟帅洋(书缘) ASP.NET Core MVC 控制器应通过 ...

  9. MVC2,MVC3,MVC4和MVC5的不同

    现在MVC的技术日趋成熟,面对着不同版本的MVC大家不免有所迷惑 -- 它们之间有什么不同呢?下面我把我搜集的信息汇总一下,以便大家能更好的认识不同版本MVC的功能,也便于自己查阅. View Eng ...

随机推荐

  1. java9新特性-2-安装与官网说明

    1.jdk 9的下载 http://www.oracle.com/technetwork/java/javase/downloads/index-jsp-138363.html         下载安 ...

  2. windows下远程链接虚拟机Linux下MySQL数据库问题处理

    参考解决:https://www.cnblogs.com/blogforly/p/5997553.html 今天远程连接虚拟机中的MySQL数据库,一直连不上,在网上搜索了一下,发现原因是MySQL对 ...

  3. mybatis如何成功插入后获取自增长的id

    使用mybatis向数据库中插入一条记录,如何获取成功插入记录的自增长id呢? 需要向xml配置中加上一下两个配置: <insert id="add" useGenerate ...

  4. PostgreSQL环境中查看SQL执行计划示例

    explain   analyze ,format,buffers, format :TEXT, XML, JSON, or YAML. EXPLAIN (ANALYZE,buffers,format ...

  5. TrueOS 不再想要成为“桌面 BSD”了

    作者: John Paul Wohlscheid 译者: LCTT geekpi | 2018-07-13 22:53 TrueOS 很快会有一些非常重大的变化.今天,我们将了解桌面 BSD 领域将会 ...

  6. session 存入 redis

    <?php header('content-type:text/html;charset=utf-8'); /* * 更改 session 存储位置及存储方式. */ ini_set('sess ...

  7. CSS 制作 圆角TAB选项卡下拉效果(顺便学习CSS伪元素

    CSS伪元素: 伪元素如果没有设置“content”属性,伪元素是无用的. 使用伪元素插入的内容在页面的源码里是不可见的,只能在css里可见 插入的元素在默认情况下是内联元素(或者,在html5中,在 ...

  8. 把qtdesigner中的ui文件生成py文件 anaconda

    无奈,马上实习就要结束了,但是自己的长进才是在stm32方面,虽然对linux有了些接触 但本质上没有任何进展,不能不说这事我的悲哀,在研三的时候却要做别人大二时做的事情 如今又是精力太散,迷上了py ...

  9. vue滚动行为

    有人问道如何记录vue页面的滚动条位置,再次载入组件的时候页面滚动到记录的位置? 思路: 记录滚动条位置我们好记 我们要在组件销毁之前也就是页面跳转的时候 需要用到生命周期beforeDistory将 ...

  10. python in操作引发 TypeError

    在看 networkx 源代码的时候认为疑惑.为什么外层 for 要注意 TypeError.里面就不用.相同是 in, 一直纠结 node 是不是有问题,比方 node 不能够被迭代什么的,那么里面 ...