csrf protector
TRANSCRIPT
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
CSRF Protectora newer approach for mitigating CSRF
15.03.15
OWASP
OWASP: Open Web Application Security Projects
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organisation focused on improving the security of software. Our mission is to make software security visible, so that individuals and organisations worldwide can make informed decisions about true software security risks.
OWASP
sh-3.5: whoami
Student - Computer Engineering - 6th Semester
Google Summer of Code 2014 - with OWASP
Wrote few lines of codes for OWASP Foundation, Mozilla Foundation & Phpmyadmin project.
Developer, Todo CI (todo-ci.org)
Super excited about - browser plugins, information security, javascript, FOSSASIA, Maths, Trigonometry?
OWASP
fact#0: HTTP is stateless protocol, so we generally use cookies for maintaining states,and authenticating/validating users.
fact#1: Whenever a request originates from a browser (client) to server, all cookies associated with the server are sent along with the request, irrespective ofthe origin of request.
So if the attacker can somehow send a request with cookies to server and tend to perform something, that usually needs authentication, attacker will succeed. This is bad, and this is CSRF.
CSRF: Cross Site Request Forgery(Often pronounced See-Surf)
OWASP
Other possibilities:
If there is CSRF vulnerability in admin panel of a website, whole website can be compromised!
Hijacking primary DNS server setting of your router! -> phishing, mitm etc.!
…Add more!
Want to see it work? Visit superlogout.com
Read More at OWASP CSRF Cheat Sheets, Just Google it!
OWASP
CSRF Protector Project
A new anti-CSRF method to protect web applications! It has two parts for now:
A standalone php
library
An Apache 2.x.x
module
OWASP
While for CSRF Protector its
for php library ^^
In case of Apache module, its as simple as install module and restart Apache:
OWASP
Supports AJAX & dynamic forms 2
• We also have custom wrappers in JS that ensures that our injected token doesn’t
creates any conflict when developer designed logic for form validation
functions!
• We support the old attachEvent() & ActiveObject() methods that exist in IE (
<= 6.0)
OWASP
Supports GET requests! 3
We use these type of regex rules to match urls at time of validation & pass it on to
JavaScript code so that it knows what all requests to attach tokens with!
Its stored in configuration!
OWASP
A better option for apps that support plugins
4
For example Wordpress!
It ensures the weblog won’t have to rely on plugin
developer for ensuring security!
OWASP
Roadmaps?
Apache 2.2 module that works with windows system!
an Apache 2.4.x module
Automated testing (Continuous Integration) for Apache module!
Support for legitimate cross-domain requests!
OWASP
CSRF Protector Project
Project Leader
Abbas Naderi
Primary Contributor
<— — — — — — — That’s me!
Project Mentors
Kevin W. Wall & Jim Manico
Other Contributors
Abhinav Dahiya
Based on paper: automatic CSRF protection for Web 2.0 applications by R. Sekar & Riccardo Pelizzi
OWASP
Project Wiki: https://owasp.org/index.php/CSRFProtector_Project
github: mebjastwitter: minhazav
Feedbacks? Questions?
Want to learn / Discuss design of the library - talk to me!