Dauto,
As you know, this is part of the optional rules collection and this
means it is less used and less tested then the other core rules.
Personally, I have not used this ruleset, so I am not really sure it
works as advertised.
A few questions, I would try to answer if I was debugging this?
-
Hi Christian,
Thank you for your replay. I will use your feedback to investigate the reason,
but will postpone to another time. From my research I found also that this rule
is not much used and need some extra efforts to put it working on specific
application.
Regards,
Dauto
> Date: Thu, 12 May
Dauto (and Christian),
I had a look at this rule before and am not a fan.
CSRF_TOKEN's should come from the app in my mind and not the WAF. However
ModSecurity does have a method of using them, which is an interesting proof of
concept, but I think it's flaky for a number of reasons.
The way it wo
Barry,
On Thu, May 12, 2016 at 10:01:53AM +0100, Barry Pollard wrote:
> I had a look at this rule before and am not a fan.
> CSRF_TOKEN's
> should come from the app in my mind and not the WAF. However
> ModSecurity does have a method of using them, which is an interesting
> proof of concept, but
Hey everyone,
Thought I would come "out the shadows" and comment on this topic since I was
the one who created those CSRF rules -
These are definitely PoC level rules. They were intended to show ModSecurity’s
content injection capabilities and this was just one use-case.
The actual JS code that
