Hi,
Thanks a lot for the quick response.
I have already gone through the suggestions given on Wikipedia. I found that
the suggestions provided over there are not feasible in our application's
context.
Therefore, I am looking for an alternate way of preventing this attack.
-Vijay
>>> André Warnier 11/16/2012 3:31 PM >>>
Vijaya Kumar wrote:
> Hi,
> I work on a web application that is vulnerable to CSRF(Cross Site Request
> Forgery) attack. Tomcat 7 has a CSRF prevention filter. I went through the
> description to configure this filter.
> This filter expects that we call
> HttpServletResponse#encodeRedirectURL(String) or
> HttpServletResponse#encodeURL(String).
> I see that in my application we don't use the above mentioned methods. Can
> you please let me know whether there is any other way of using this filter
> without making calls to encodeURL() or encodeRedirectURL()?
>
> To be precise, I am looking for a way to incorporate CSRF Filter in an
> already existing application that doesn't use
> HttpServletResponse#encodeRedirectURL(String) or
> HttpServletResponse#encodeURL(String).
>
> Any help in this regard is appreciated.
>
Hi.
I am a bit of a novice in this area, but as far as I understand what a CSRF
attack is
(http://en.wikipedia.org/wiki/Cross-site_request_forgery), and what this filter
does, it
seems to me at least that if your are not using
HttpServletResponse#encodeRedirectURL(String) or
HttpServletResponse#encodeURL(String) in
your application, then this filter would be unnecessary, and would not help
anyway.
Why are you saying that your application is vulnerable to CSRF ?
(Note that the same Wikipedia page seems to provide various tips to make your
application
less vulnerable to CSRF attacks in general).
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
