Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
CSRF Protector
a newer approach for mitigating
CSRF
15.03.15

OWASP
OWASP: Open Web Application Security Projects
The Open Web Application Security Project (OWASP) is a
501(c)(3) worldwide not-for-profit charitable organisation
focused on improving the security of software. Our mission
is to make software security visible, so that individuals and
organisations worldwide can make informed decisions about
true software security risks.

OWASP
sh-3.5: whoami
 Student - Computer Engineering - 6th Semester
 Google Summer of Code 2014 - with OWASP
 Wrote few lines of codes for OWASP Foundation, Mozilla
Foundation & Phpmyadmin project.
 Developer, Todo CI (todo-ci.org)
Super excited about - browser plugins, information security,
javascript, FOSSASIA, Maths, Trigonometry?

OWASP
So what’s CSRF?

OWASP
fact#0: HTTP is stateless protocol, so we generally use cookies for maintaining states,
and authenticating/validating users.
fact#1: Whenever a request originates from a browser (client) to server, all cookies
associated with the server are sent along with the request, irrespective of
the origin of request.
So if the attacker can somehow send a request with cookies to server and tend
to perform something, that usually needs authentication, attacker will succeed. This is ba
CSRF: Cross Site Request Forgery
(Often pronounced See-Surf)

OWASP
Time for demo
or we’ll have

OWASP
Other possibilities:
If there is CSRF vulnerability in admin panel of a
website, whole website can be compromised!
Hijacking primary DNS server setting of your router! ->
phishing, mitm etc.!
…Add more!
Want to see it work? Visit superlogout.com
Read More at OWASP CSRF Cheat Sheets, Just Google it!

OWASP
So What does the
CSRFP have for
you?

OWASP
CSRF Protector Project
A new anti-CSRF method to protect web applicatio
It has two parts for now:
A standalone php
library
An Apache 2.x.x
module

OWASP

OWASP
Easy to work with or Integrate 1

OWASP
Laravel php framework
Wordpress plugins

OWASP
While for CSRF Protector its
for php library ^^
In case of Apache module, its as simple as install module and restart Apache:

OWASP
Supports AJAX & dynamic forms 2
• We also have custom wrappers in JS that ensures that our injected token doesn’t
creates any conflict when developer designed logic for form validation
functions!
• We support the old attachEvent() & ActiveObject() methods that exist in IE (
<= 6.0)

OWASP
Supports GET requests! 3
We use these type of regex rules to match urls at time of validation & pass it on to
JavaScript code so that it knows what all requests to attach tokens with!
Its stored in configuration!

OWASP
A better option for apps that
support plugins
4
For example Wordpress!
It ensures the weblog won’t have to rely on plugin
developer for ensuring security!

OWASP
Roadmaps?
Apache 2.2 module that works with windows
system!
an Apache 2.4.x module
Automated testing (Continuous Integration) for
Apache module!
Support for legitimate cross-domain requests!

OWASP
CSRF Protector Project
Project Leader
Abbas Naderi
Primary Contributor
<— — — — — — — That’s me!
Project Mentors
Kevin W. Wall & Jim Manico
Other Contributors
Abhinav Dahiya
Based on paper: automatic CSRF protection for Web 2.0
applications by R. Sekar & Riccardo Pelizzi

OWASP
Project Wiki: https://owasp.org/index.php/CSRFProtector_Project
Minhaz
minhaz@owasp.org
github: mebjas
twitter: minhazav
Feedbacks? Questions?
Want to learn / Discuss design of the
library - talk to me!