XSRF/CRSF attacks - auto url append?
Posted: Wed Feb 27, 2008 7:53 am
Hiya,
I'm trying to implement the highest possible security in my web app without using SSL, and of course anyone knowledgeable in this area would know that XSRF/CRSF attacks are a potential weakness.
Lots of sites with info suggest using an extra field on form submissions etc. However, this is cumbersome if applying to about 20 web forms. Is there a way of avoiding cluttering all my pages/views with this? I was thinking of a simple include file / ini setting / .htaccess file which will "do it's stuff" on the querystring, whatever this may be?
Sorry for my vagueness, I have some trouble getting my head round every possible kind of attack, but I hope I'm asking the right question!
Thanks!
PS some resources which have helped educate me but not provided an elegant solution:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://www.codewalkers.com/c/a/Miscella ... cations/1/
http://phpsec.org/projects/guide/2.html
I'm trying to implement the highest possible security in my web app without using SSL, and of course anyone knowledgeable in this area would know that XSRF/CRSF attacks are a potential weakness.
Lots of sites with info suggest using an extra field on form submissions etc. However, this is cumbersome if applying to about 20 web forms. Is there a way of avoiding cluttering all my pages/views with this? I was thinking of a simple include file / ini setting / .htaccess file which will "do it's stuff" on the querystring, whatever this may be?
Sorry for my vagueness, I have some trouble getting my head round every possible kind of attack, but I hope I'm asking the right question!
Thanks!
PS some resources which have helped educate me but not provided an elegant solution:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://www.codewalkers.com/c/a/Miscella ... cations/1/
http://phpsec.org/projects/guide/2.html