Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: CSRF Vulnerability |
|
| Author |
|
ozzy13
Joined: 11 Feb 2018
Posts: 4
Location: US, Brooklyn
|
 Posted: Tue 06 Mar '18 18:56 Post subject: CSRF Vulnerability |
 |
|
Hello Peeps!
I've a query regarding CSRF referer header validation.
I would like to know if there are any configurations for CSRF in httpd.conf or third party module except mod_security.
Basically, I want to deny any requests apart from my server name/domain in referrer header.
For eg - In mod_security, this rule does the work
SecRule REQUEST_HEADERS:Referer "!@contains ://%{SERVER_NAME}/" \
"id:432010,phase:2,msg:'Referer header does not point to the server itself %{REQUEST_HEADERS.Referer}',deny,status:403"
I want to achieve this without mod_security.
Please advise.
TIA. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
|
| Back to top |
|
ozzy13
Joined: 11 Feb 2018
Posts: 4
Location: US, Brooklyn
|
| Posted: Wed 07 Mar '18 8:49 Post subject: |
|
|
That's me asking the question on a different forum.
I tried the configuration but it doesnt work.
Is there any configuration which will like this -
if the request comes from a different domain it should give 403 forbidden error. Like I tested on Burp Suite and when I change referer to anything else other than my domain, it shows HTTP code 200. |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3093
Location: Hilversum, NL, EU
|
|
| Back to top |
|
|
|
|
|
|
