OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x module which helps web developer/ system administrator to mitigate CSRF vulnerability in their web application with ease.
Presentation of my talk at FOSSASIA 2015
2. OWASP
OWASP: Open Web Application Security Projects
The Open Web Application Security Project (OWASP) is a
501(c)(3) worldwide not-for-profit charitable organisation
focused on improving the security of software. Our mission
is to make software security visible, so that individuals and
organisations worldwide can make informed decisions about
true software security risks.
3. OWASP
sh-3.5: whoami
Student - Computer Engineering - 6th Semester
Google Summer of Code 2014 - with OWASP
Wrote few lines of codes for OWASP Foundation, Mozilla
Foundation & Phpmyadmin project.
Developer, Todo CI (todo-ci.org)
Super excited about - browser plugins, information security,
javascript, FOSSASIA, Maths, Trigonometry?
5. OWASP
fact#0: HTTP is stateless protocol, so we generally use cookies for maintaining states,
and authenticating/validating users.
fact#1: Whenever a request originates from a browser (client) to server, all cookies
associated with the server are sent along with the request, irrespective of
the origin of request.
So if the attacker can somehow send a request with cookies to server and tend
to perform something, that usually needs authentication, attacker will succeed. This is ba
CSRF: Cross Site Request Forgery
(Often pronounced See-Surf)
7. OWASP
Other possibilities:
If there is CSRF vulnerability in admin panel of a
website, whole website can be compromised!
Hijacking primary DNS server setting of your router! ->
phishing, mitm etc.!
…Add more!
Want to see it work? Visit superlogout.com
Read More at OWASP CSRF Cheat Sheets, Just Google it!
9. OWASP
CSRF Protector Project
A new anti-CSRF method to protect web applicatio
It has two parts for now:
A standalone php
library
An Apache 2.x.x
module
13. OWASP
While for CSRF Protector its
for php library ^^
In case of Apache module, its as simple as install module and restart Apache:
14. OWASP
Supports AJAX & dynamic forms 2
• We also have custom wrappers in JS that ensures that our injected token doesn’t
creates any conflict when developer designed logic for form validation
functions!
• We support the old attachEvent() & ActiveObject() methods that exist in IE (
<= 6.0)
15. OWASP
Supports GET requests! 3
We use these type of regex rules to match urls at time of validation & pass it on to
JavaScript code so that it knows what all requests to attach tokens with!
Its stored in configuration!
16. OWASP
A better option for apps that
support plugins
4
For example Wordpress!
It ensures the weblog won’t have to rely on plugin
developer for ensuring security!
17. OWASP
Roadmaps?
Apache 2.2 module that works with windows
system!
an Apache 2.4.x module
Automated testing (Continuous Integration) for
Apache module!
Support for legitimate cross-domain requests!
18. OWASP
CSRF Protector Project
Project Leader
Abbas Naderi
Primary Contributor
<— — — — — — — That’s me!
Project Mentors
Kevin W. Wall & Jim Manico
Other Contributors
Abhinav Dahiya
Based on paper: automatic CSRF protection for Web 2.0
applications by R. Sekar & Riccardo Pelizzi