6

I am going to avoid CSRF atack in my web application.

I've set up csrf configuration on my apache, like this:

<VirtualHost>
...

    CSRF_Enable on
    CSRF_Action deny
    CSRF_EnableReferer off


</VirtualHost>

Also, I've installed the following apache modules:

mod_csrf-0.3
mod_parp-0.12
mod_setenvifplus-0.23

that have possibility to ignore CRSF in some cases.

All stuff works fine, namely csrfpid add to all POST method and does not add to GET.

But one issue was found. When I try to send GET method with parameter: www.example.com/test.jsp?csrfpid=some_csrf_id&some_attribute=0, csrfpid token has attached to link.

I've tried to play with:

SetEnvIfPlus Request_Method "GET" CSRF_IGNORE=yes.

But, it does not work in my case.

Also, I've found, that the issue causes through mod_csrf.c file.

It will be good to get some ideas or helpful link regarding to the described case.

fashuser
  • 2,152
  • 3
  • 29
  • 51
  • 4
    The ideal solution is to only include the CSRF token in POST requests and modify server-side actions that have state changing affect to only respond to POST requests ... CSRF tokens in GET requests are potentially leaked at several locations: browser history, HTTP log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site. Source: (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet) – Alexander Pranko Feb 10 '15 at 17:12

0 Answers0