CSRF marker in the GET method

Question

CSRF marker in the GET method

I am going to avoid a CSRF attack in my web application.

I configured the csrf configuration on my apache, for example:

<VirtualHost> ... CSRF_Enable on CSRF_Action deny CSRF_EnableReferer off </VirtualHost>

In addition, I installed the following apache modules:

 mod_csrf-0.3 mod_parp-0.12 mod_setenvifplus-0.23

which are able to ignore CRSF in some cases.

Everything works fine, namely csrfpid adds to all POST methods and does not add GET.

But one problem was found. When I try to send the GET method with the parameter: www.example.com/test.jsp?csrfpid=some_csrf_id&some_attribute=0 , csrfpid is attached to the link.

I tried to play with:

 SetEnvIfPlus Request_Method "GET" CSRF_IGNORE=yes.

But this does not work in my case.

In addition, I found that the problem is with the mod_csrf.c file.

It will be useful to get some ideas or useful links regarding the case described.

+6

java apache csrf csrf-protection

fashuser Feb 12 '14 at 12:11

source share

No one has answered this question yet.

See related questions:

2248

Is the finally block always executable in Java?

1818

How to get enum value from string value in Java?

552

What is a CSRF token? What is its significance and how does it work?

213

Why is it so often to put CSRF tokens in cookies?

71

Where to store JWT in a browser? How to protect against CSRF?

6

Web Application CSRF Protection

3

Angular2 and Django: Headache in CSRF Tokens

2

How to allow CSRF token is invalid

2

ZF1 token CSRF Never check (Zend never finds a token)

0

Is it possible to combine CSRF and Nonce tokens?

CSRF marker in the GET method

More articles: