[jboss-jira] [JBoss JIRA] Resolved: (JBWEB-141) Servlet Filter against CSRF

[Remy Maucherat (JIRA)]

     [ https://jira.jboss.org/jira/browse/JBWEB-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Remy Maucherat resolved JBWEB-141.
----------------------------------

    Fix Version/s: JBossWeb-3.0.0.Beta6
       Resolution: Done


For XSS, if you are talking about a well defined set of patterns, you might be able to create a set of mod_rewrite rules. They should then work just fine with the rewrite valve. If that's not enough, then create a new JIRA on XSS.

> Servlet Filter against CSRF
> ---------------------------
>
>                 Key: JBWEB-141
>                 URL: https://jira.jboss.org/jira/browse/JBWEB-141
>             Project: JBoss Web
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>            Reporter: Marc Schoenefeld
>            Assignee: Remy Maucherat
>            Priority: Minor
>             Fix For: JBossWeb-3.0.0.Beta6
>
>
> Cross-Site scripting and cross-site request forgery attacks are common threat to every web application. 
> So a common solution offered by the http server is helpful to raise the default protection level. 
> A servlet filter will help to  
> a) allow/block requests for a set of XSS regex patterns (per default blacklist suspicious parameter patterns, and optionally whitelist valid requests for well-known applications)  
> b) allow/block requests that fulfil the criteria for being a forged request (failing nonce compare), this will need a javascript helper on the client side, to transparently protect existing applications to provide the shared secret in the session . 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira