logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.




CSRF Vulnerability

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
ozzy13



Joined: 11 Feb 2018
Posts: 4
Location: US, Brooklyn

PostPosted: Tue 06 Mar '18 18:56    Post subject: CSRF Vulnerability Reply with quote

Hello Peeps!

I've a query regarding CSRF referer header validation.

I would like to know if there are any configurations for CSRF in httpd.conf or third party module except mod_security.

Basically, I want to deny any requests apart from my server name/domain in referrer header.

For eg - In mod_security, this rule does the work

SecRule REQUEST_HEADERS:Referer "!@contains ://%{SERVER_NAME}/" \
"id:432010,phase:2,msg:'Referer header does not point to the server itself %{REQUEST_HEADERS.Referer}',deny,status:403"

I want to achieve this without mod_security.

Please advise.

TIA.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2158
Location: Sun Diego, USA

PostPosted: Tue 06 Mar '18 21:09    Post subject: Reply with quote

Mt take on this, not that it's correct.
https://forum.apachehaus.com/index.php?topic=1545.msg4195#new
Back to top
ozzy13



Joined: 11 Feb 2018
Posts: 4
Location: US, Brooklyn

PostPosted: Wed 07 Mar '18 8:49    Post subject: Reply with quote

That's me asking the question on a different forum.
I tried the configuration but it doesnt work.

Is there any configuration which will like this -

if the request comes from a different domain it should give 403 forbidden error. Like I tested on Burp Suite and when I change referer to anything else other than my domain, it shows HTTP code 200.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2641
Location: Hilversum, NL, EU

PostPosted: Wed 07 Mar '18 16:32    Post subject: Reply with quote

When I read what you want, looks like hotlinking ?

See https://httpd.apache.org/docs/2.4/rewrite/access.html#blocked-inline-images
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1