logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: CSRF Vulnerability
Author
ozzy13



Joined: 11 Feb 2018
Posts: 4
Location: US, Brooklyn

PostPosted: Tue 06 Mar '18 18:56    Post subject: CSRF Vulnerability Reply with quote

Hello Peeps!

I've a query regarding CSRF referer header validation.

I would like to know if there are any configurations for CSRF in httpd.conf or third party module except mod_security.

Basically, I want to deny any requests apart from my server name/domain in referrer header.

For eg - In mod_security, this rule does the work

SecRule REQUEST_HEADERS:Referer "!@contains ://%{SERVER_NAME}/" \
"id:432010,phase:2,msg:'Referer header does not point to the server itself %{REQUEST_HEADERS.Referer}',deny,status:403"

I want to achieve this without mod_security.

Please advise.

TIA.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Tue 06 Mar '18 21:09    Post subject: Reply with quote

Mt take on this, not that it's correct.
https://forum.apachehaus.com/index.php?topic=1545.msg4195#new
Back to top
ozzy13



Joined: 11 Feb 2018
Posts: 4
Location: US, Brooklyn

PostPosted: Wed 07 Mar '18 8:49    Post subject: Reply with quote

That's me asking the question on a different forum.
I tried the configuration but it doesnt work.

Is there any configuration which will like this -

if the request comes from a different domain it should give 403 forbidden error. Like I tested on Burp Suite and when I change referer to anything else other than my domain, it shows HTTP code 200.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3047
Location: Hilversum, NL, EU

PostPosted: Wed 07 Mar '18 16:32    Post subject: Reply with quote

When I read what you want, looks like hotlinking ?

See https://httpd.apache.org/docs/2.4/rewrite/access.html#blocked-inline-images
Back to top


Reply to topic   Topic: CSRF Vulnerability View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules