Should have put a smiley on my use of "security goons". :-) I appreciate the value of security. However, in this case, I believe that they really are false positives.
BTW, I would love to have a copy of your preso. Please send it off-list (or post a link). Many thanks. On Thu, Dec 18, 2008 at 8:51 AM, Dean H. Saxe <[email protected]> wrote: > They may be doing automated scanning resulting in false positives. Have a > manual review completed to rule out false positives. This is a serious > concern, however, and should be addressed in all development projects. If > you wish I can sendiut a copy of my MAX preso where I address CSRF. Also see > CSRFGuard from OWASP for an implementation in Java which you can reference. > > And us "security goons" are trying to protect those "clueless developers" > from themselves. ;-) > > -dhs > > > On Dec 18, 2008, at 8:39 AM, "Gerry Gurevich" <[email protected]> > wrote: > >> Thanks for the info Shawn. We've got someone looking at your >> solution. I just realized that I hadn't posted the link to the >> solution that we were looking at in my original post. here it is: >> >> http://www.12robots.com/index.cfm/2008/8/25/Request-Forgeries-and-ColdFusion--Security-Series-9 >> >> I assume you are doing something similar. >> >> FWIW, I'm looking into this for a colleague and what he is telling me >> is that the security goons are scanning his site and labeling it >> vulnerable even though the pages that they are hitting with this >> vulnerability are not action pages. Doesn't seem like a real problem >> in that case to me. >> >> On Wed, Dec 17, 2008 at 4:08 PM, shawn gorrell <[email protected]> wrote: >>> >>> There are ways to do it for forms and urls. In fact, I have a fully baked >>> implementation of a mitigation in my Tardis framework. The approach is >>> simple, have each page request a token (nonce) from a security component >>> and >>> add it as a hidden to your form, or append it to any url inside your app >>> and >>> then check on the next request to make sure that the token was passed, >>> and >>> that it has never been used before. This also prevents double-submits. >>> Let >>> me know if you'd like a go-to for the code... >>> >>> ________________________________ >>> From: Gerry Gurevich <[email protected]> >>> To: [email protected] >>> Sent: Wednesday, December 17, 2008 3:59:50 PM >>> Subject: [ACFUG Discuss] Cross Site Forgery Question >>> >>> Sorry, I posted to the wrong list initially. Here is my question for >>> the discussion list: >>> >>> >>> I've been asked to investigate this by someone at my company. They >>> found this link as a CF solution. Do you all have any thoughts or >>> opinions on the value of this approach? It seems to only work for >>> form submit actions. What would you do if you had a link to an >>> action page? How would you mitigate against this type of attack? >>> >>> Your thoughts are appreciated. >>> >>> >>> ------------------------------------------------------------- >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform >>> >>> For more info, see http://www.acfug.org/mailinglists >>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by http://www.fusionlink.com >>> ------------------------------------------------------------- >>> >>> >>> >>> >>> ------------------------------------------------------------- >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform >>> >>> For more info, see http://www.acfug.org/mailinglists >>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by FusionLink >>> ------------------------------------------------------------- >> >> >> ------------------------------------------------------------- >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform >> >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by http://www.fusionlink.com >> ------------------------------------------------------------- >> >> >> > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile > @http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > > > ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
