3 May 13:16
Re: Tokens?
Christian Martorella <cmartorella <at> isecauditors.com>
2005-05-03 11:16:27 GMT
2005-05-03 11:16:27 GMT
Ivan Ristic wrote:
> Christian Martorella wrote:
>
>> Hi, i was looking others Application firewalls and i saw that some of
>> them use tokens to sign forms or variables with a hash.
>
>
> Can you be more specific? What are they signing? The hidden fields,
> the names of the fields?
>
>
What you sign with a hash is the values of the hidden fields, or the
values of the URL parameters.
For example if you have
<input name="year" type="hidden"
value="1984?MSEC=OurhashOurhashOurHash">
So if someone change 1984 to 1982, when you recalculate the hash for
year it will be different and you deny the request.
I know this would bring more performance issues, but it will be good for
Parameter Tampering, Cookie Tampering, and all tampering that could be done.
>> There are plans to implement this on Mod_Security? or there is
>> someone already working on it?
>
>
> No. I am not convinced such feature would have significant value in
(Continue reading)
RSS Feed