The most advanced and imaginative use of the content injection feature is that devised by
Ryan C. Barnett, the ModSecurity Community Manager and author of the Core Rule Set. He
established a way to use content injection to defend vulnerable applications against Cross-
Site Request Forgery (CSRF) attacks, otherwise only possible through the modification of
the source code of the vulnerable applications. (If you are not familiar with CSRF, I suggest
that you read through the CSRF entry on Wikipedia [http://en.wikipedia.org/wiki/Crosssite_
request_forgery].)
The usual way to defend against CSRF is to embed special tokens into application forms, and
accept only those submits that contain the correct token values. CSRF requests faced with such
defenses always fail, because they have no way to “know” the correct token value.
Ryan’s approach was to use content injection to inject JavaScript into all application pages,
which is then used to modify all page forms to add tokens where they wouldn’t normally exist.
In the second part of the trick, he would have ModSecurity rules inspect all POST requests to
verify that they contain the correct values. Brilliant!
For more information, look up Ryan’s Black Hat DC 2009 whitepaper WAF Virtual Patching
Challenge: Securing WebGoat with ModSecurity. The 26-page document contains many other
interesting techniques.

CRSF Defense Using Content Injection Support By ModSecurity的更多相关文章

  1. ModSecurity web application firewall (WAF) Research

    catalog . 引言 . OWASP ModSecurity Core Rule Set (CRS) Project . Installation mod_security for Apache ...

  2. [security][modsecurity][nginx] nginx 与 modsecurity

    参考文档: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#installation-for-nginx nginx不支 ...

  3. OWIN support for the Web API 2 and MVC 5 integrations in Autofac

    Currently, in the both the Web API and MVC frameworks, dependency injection support does not come in ...

  4. Android support library支持包常用控件介绍(二)

    谷歌官方推出Material Design 设计理念已经有段时间了,为支持更方便的实现 Material Design设计效果,官方给出了Android support design library ...

  5. Property Injection in Asp.Net Core (转载)

    问: I am trying to port an asp.net application to asp.net core. I have property injection (using ninj ...

  6. Android Design Support Library概览

    尊重劳动成果.转载请注明出处:http://blog.csdn.net/growth58/article/details/47972467 关注新浪微博:@于卫国 邮箱:yuweiguocn@gmai ...

  7. 使用 Microsoft.Extensions.DependencyInjection 进行依赖注入

    没有 Autofac DryIoc Grace LightInject Lamar Stashbox Unity Ninject 的日子,才是好日子~~~~~~~~~~ Using .NET Core ...

  8. ASP.NET Core 中文文档 第四章 MVC(4.4)依赖注入和控制器

    原文: Dependency Injection and Controllers 作者: Steve Smith 翻译: 刘浩杨 校对: 孟帅洋(书缘) ASP.NET Core MVC 控制器应通过 ...

  9. MVC2,MVC3,MVC4和MVC5的不同

    现在MVC的技术日趋成熟,面对着不同版本的MVC大家不免有所迷惑 -- 它们之间有什么不同呢?下面我把我搜集的信息汇总一下,以便大家能更好的认识不同版本MVC的功能,也便于自己查阅. View Eng ...

随机推荐

  1. rest_framework_HyperlinkedIdentityField

    #生成链接 HyperlinkedIdentityField class UserInfoSerializer(serializers.ModelSerializer): group = serial ...

  2. 17.查找效率最高的unorderd_set(替代hash_set)

    #include <string> #include <iostream> //查询性能最高(不允许重复数据) #include <unordered_set> u ...

  3. Java类和对象5

    写一个Java应用程序,该应用程序包括2个类:Print类和主类E.Print类里有一个方法output()功能是输出100 ~ 999之间的所有水仙花数(各位数字的立方和等于这个三位数本身,如: 3 ...

  4. C#后台请求其它网站页面

    /// <summary> /// 指定Post地址使用Get 方式获取全部字符串 /// </summary> /// <param name="url&qu ...

  5. hiho1515 - 数据结构 并查集

    题目链接 小Hi的学校总共有N名学生,编号1-N.学校刚刚进行了一场全校的古诗文水平测验. 学校没有公布测验的成绩,所以小Hi只能得到一些小道消息,例如X号同学的分数比Y号同学的分数高S分. 小Hi想 ...

  6. Sql 问题---在尝试加载程序集 ID 65537 时 Microsoft .NET Framework 出错.服务器可能资源不足

    新库是直接复制的模板库 执行存储过程时报如下错 消息 10314,级别 16,状态 11,过程sp_Sync_CmsArticleToSearchs,第 30 行在尝试加载程序集 ID 65645 时 ...

  7. 洛谷P2196 && caioj 1415 动态规划6:挖地雷

    没看出来动规怎么做,看到n <= 20,直接一波暴搜,过了. #include<cstdio> #include<cstring> #include<algorit ...

  8. 题解 P3372 【【模板】线段树1 】

    看了一下题解里的zkw线段树,感觉讲的不是很清楚啊(可能有清楚的但是我没翻到,望大佬勿怪). 决定自己写一篇...希望大家能看明白... zkw线段树是一种优秀的非递归线段树,速度比普通线段树快两道三 ...

  9. 大数据时代的新BI系统架构发展趋势

    商业智能(BI,Business Intelligence).它是一套完整的解决方式,用来将企业中现有的数据进行有效的整合,高速准确的提供报表并提出决策根据.帮助企业做出明智的业务经营决策.     ...

  10. 关于自适应的矩形css布局

    在面试中遇到的问题,做一个自适应的宽高2:1的矩形,这个问题考察了padding的细节,padding-bottom的百分比值,相对的是该盒模型的height,设置矩形之后,里面的内容如果太多会溢出, ...