The most advanced and imaginative use of the content injection feature is that devised by
Ryan C. Barnett, the ModSecurity Community Manager and author of the Core Rule Set. He
established a way to use content injection to defend vulnerable applications against Cross-
Site Request Forgery (CSRF) attacks, otherwise only possible through the modification of
the source code of the vulnerable applications. (If you are not familiar with CSRF, I suggest
that you read through the CSRF entry on Wikipedia [http://en.wikipedia.org/wiki/Crosssite_
request_forgery].)
The usual way to defend against CSRF is to embed special tokens into application forms, and
accept only those submits that contain the correct token values. CSRF requests faced with such
defenses always fail, because they have no way to “know” the correct token value.
Ryan’s approach was to use content injection to inject JavaScript into all application pages,
which is then used to modify all page forms to add tokens where they wouldn’t normally exist.
In the second part of the trick, he would have ModSecurity rules inspect all POST requests to
verify that they contain the correct values. Brilliant!
For more information, look up Ryan’s Black Hat DC 2009 whitepaper WAF Virtual Patching
Challenge: Securing WebGoat with ModSecurity. The 26-page document contains many other
interesting techniques.

CRSF Defense Using Content Injection Support By ModSecurity的更多相关文章

  1. ModSecurity web application firewall (WAF) Research

    catalog . 引言 . OWASP ModSecurity Core Rule Set (CRS) Project . Installation mod_security for Apache ...

  2. [security][modsecurity][nginx] nginx 与 modsecurity

    参考文档: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#installation-for-nginx nginx不支 ...

  3. OWIN support for the Web API 2 and MVC 5 integrations in Autofac

    Currently, in the both the Web API and MVC frameworks, dependency injection support does not come in ...

  4. Android support library支持包常用控件介绍(二)

    谷歌官方推出Material Design 设计理念已经有段时间了,为支持更方便的实现 Material Design设计效果,官方给出了Android support design library ...

  5. Property Injection in Asp.Net Core (转载)

    问: I am trying to port an asp.net application to asp.net core. I have property injection (using ninj ...

  6. Android Design Support Library概览

    尊重劳动成果.转载请注明出处:http://blog.csdn.net/growth58/article/details/47972467 关注新浪微博:@于卫国 邮箱:yuweiguocn@gmai ...

  7. 使用 Microsoft.Extensions.DependencyInjection 进行依赖注入

    没有 Autofac DryIoc Grace LightInject Lamar Stashbox Unity Ninject 的日子,才是好日子~~~~~~~~~~ Using .NET Core ...

  8. ASP.NET Core 中文文档 第四章 MVC(4.4)依赖注入和控制器

    原文: Dependency Injection and Controllers 作者: Steve Smith 翻译: 刘浩杨 校对: 孟帅洋(书缘) ASP.NET Core MVC 控制器应通过 ...

  9. MVC2,MVC3,MVC4和MVC5的不同

    现在MVC的技术日趋成熟,面对着不同版本的MVC大家不免有所迷惑 -- 它们之间有什么不同呢?下面我把我搜集的信息汇总一下,以便大家能更好的认识不同版本MVC的功能,也便于自己查阅. View Eng ...

随机推荐

  1. 实时监控Cat之旅~对请求是否正常结束做监控(分布式的消息树)

    对基于请求的分布式消息树的分析 在MVC时有过滤器System.Web.Mvc.ActionFilterAttribute,它可以对action执行的整个过程进行拦截,执行前与执行后我们可以注入自己的 ...

  2. ajax无刷新翻页后,jquery失效问题的解决

    例如 $(".entry-title a").click(function () {   只对第一页有效, 修改为 $(document).on('click', ".e ...

  3. div的padding和margin

    原div一和div二的位置 增大div二的margin-left 增大div二的padding-top

  4. iOS——集成支付宝 系统繁忙,请稍后再试ALI40247

    问题描述:在调用支付宝时,老是显示,系统繁忙,请稍后再试ALI40247. 解决方案: 一.如何签约APP支付接口   第一步:进入管理中心:https://openhome.alipay.com/p ...

  5. MySql系列表之间的关系

    foreign key 快速理解foreign key   员工信息表有三个字段:工号  姓名  部门 公司有3个部门,但是有1个亿的员工,那意味着部门这个字段需要重复存储,部门名字越长,越浪费 数据 ...

  6. [NOIP2010提高组]引水入城

    题目:洛谷P1514.Vijos P1777.codevs1066. 题目大意:有一个$n×m$的矩阵,每个点都有一个高度,可以在第一行的任意点建立蓄水厂.现在要把水输到最后一行的所有点上,规定水只能 ...

  7. 【J-meter】调试JDBC请求

    参考资料: http://www.codesec.net/view/165234.html

  8. jquery中$.get()提交和$.post()提交有区别

    jquery中$.get()提交和$.post()提交有区别吗? 相同点:都是异步请求的方式来获取服务端的数据: 异同点: 1.请求方式不同:$.get() 方法使用GET方法来进行异步请求的.$.p ...

  9. 网页加速之Chromium 预载入 Prerendering

    前一篇博文已经介绍通过prefetch预先载入网页的资源来提升网页载入速度,以下我们一起来看一下网页加速之chromium prerendering.在介绍prerendering之前,先介绍两个概念 ...

  10. 从零開始学android<SlidingDrawer 隐式抽屉.三十三.>

    SlidingDrawer是一种抽屉型的组件.当用户选择打开此抽屉之后,会得到一些能够使用的"程序集".这样当一个界面要摆放多个组件的时候,使用此组件就能够非常好的解决布局空间紧张 ...