]
Remy Maucherat updated JBWEB-141:
---------------------------------
Summary: Servlet Filter against CSRF (was: Servlet Filter against XSS)
Servlet Filter against CSRF
---------------------------
Key: JBWEB-141
URL:
https://jira.jboss.org/jira/browse/JBWEB-141
Project: JBoss Web
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Reporter: Marc Schoenefeld
Assignee: Remy Maucherat
Priority: Minor
Cross-Site scripting and cross-site request forgery attacks are common threat to every
web application.
So a common solution offered by the http server is helpful to raise the default
protection level.
A servlet filter will help to
a) allow/block requests for a set of XSS regex patterns (per default blacklist suspicious
parameter patterns, and optionally whitelist valid requests for well-known applications)
b) allow/block requests that fulfil the criteria for being a forged request (failing
nonce compare), this will need a javascript helper on the client side, to transparently
protect existing applications to provide the shared secret in the session .
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: