Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of ...
OWASP
OWASP: Open Web Application Security Projects
The Open Web Application Security Project (OWASP) is a
501(c)(3) world...
OWASP
sh-3.5: whoami
 Student - Computer Engineering - 6th Semester
 Google Summer of Code 2014 - with OWASP
 Wrote few...
OWASP
So what’s CSRF?
OWASP
fact#0: HTTP is stateless protocol, so we generally use cookies for maintaining states,
and authenticating/validatin...
OWASP
Time for demo
or we’ll have
OWASP
Other possibilities:
If there is CSRF vulnerability in admin panel of a
website, whole website can be compromised!
...
OWASP
So What does the
CSRFP have for
you?
OWASP
CSRF Protector Project
A new anti-CSRF method to protect web applicatio
It has two parts for now:
A standalone php
l...
OWASP
OWASP
Easy to work with or Integrate 1
OWASP
Laravel php framework
Wordpress plugins
OWASP
While for CSRF Protector its
for php library ^^
In case of Apache module, its as simple as install module and restar...
OWASP
Supports AJAX & dynamic forms 2
• We also have custom wrappers in JS that ensures that our injected token doesn’t
cr...
OWASP
Supports GET requests! 3
We use these type of regex rules to match urls at time of validation & pass it on to
JavaSc...
OWASP
A better option for apps that
support plugins
4
For example Wordpress!
It ensures the weblog won’t have to rely on p...
OWASP
Roadmaps?
Apache 2.2 module that works with windows
system!
an Apache 2.4.x module
Automated testing (Continuous ...
OWASP
CSRF Protector Project
Project Leader
Abbas Naderi
Primary Contributor
<— — — — — — — That’s me!
Project Mentors
Kev...
OWASP
Project Wiki: https://owasp.org/index.php/CSRFProtector_Project
Minhaz
minhaz@owasp.org
github: mebjas
twitter: minh...
Upcoming SlideShare
Loading in …5
×

Csrf protector

882 views

Published on

OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x module which helps web developer/ system administrator to mitigate CSRF vulnerability in their web application with ease.
Presentation of my talk at FOSSASIA 2015

Published in: Software
  • Be the first to comment

  • Be the first to like this

Csrf protector

  1. 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org CSRF Protector a newer approach for mitigating CSRF 15.03.15
  2. 2. OWASP OWASP: Open Web Application Security Projects The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organisation focused on improving the security of software. Our mission is to make software security visible, so that individuals and organisations worldwide can make informed decisions about true software security risks.
  3. 3. OWASP sh-3.5: whoami  Student - Computer Engineering - 6th Semester  Google Summer of Code 2014 - with OWASP  Wrote few lines of codes for OWASP Foundation, Mozilla Foundation & Phpmyadmin project.  Developer, Todo CI (todo-ci.org) Super excited about - browser plugins, information security, javascript, FOSSASIA, Maths, Trigonometry?
  4. 4. OWASP So what’s CSRF?
  5. 5. OWASP fact#0: HTTP is stateless protocol, so we generally use cookies for maintaining states, and authenticating/validating users. fact#1: Whenever a request originates from a browser (client) to server, all cookies associated with the server are sent along with the request, irrespective of the origin of request. So if the attacker can somehow send a request with cookies to server and tend to perform something, that usually needs authentication, attacker will succeed. This is ba CSRF: Cross Site Request Forgery (Often pronounced See-Surf)
  6. 6. OWASP Time for demo or we’ll have
  7. 7. OWASP Other possibilities: If there is CSRF vulnerability in admin panel of a website, whole website can be compromised! Hijacking primary DNS server setting of your router! -> phishing, mitm etc.! …Add more! Want to see it work? Visit superlogout.com Read More at OWASP CSRF Cheat Sheets, Just Google it!
  8. 8. OWASP So What does the CSRFP have for you?
  9. 9. OWASP CSRF Protector Project A new anti-CSRF method to protect web applicatio It has two parts for now: A standalone php library An Apache 2.x.x module
  10. 10. OWASP
  11. 11. OWASP Easy to work with or Integrate 1
  12. 12. OWASP Laravel php framework Wordpress plugins
  13. 13. OWASP While for CSRF Protector its for php library ^^ In case of Apache module, its as simple as install module and restart Apache:
  14. 14. OWASP Supports AJAX & dynamic forms 2 • We also have custom wrappers in JS that ensures that our injected token doesn’t creates any conflict when developer designed logic for form validation functions! • We support the old attachEvent() & ActiveObject() methods that exist in IE ( <= 6.0)
  15. 15. OWASP Supports GET requests! 3 We use these type of regex rules to match urls at time of validation & pass it on to JavaScript code so that it knows what all requests to attach tokens with! Its stored in configuration!
  16. 16. OWASP A better option for apps that support plugins 4 For example Wordpress! It ensures the weblog won’t have to rely on plugin developer for ensuring security!
  17. 17. OWASP Roadmaps? Apache 2.2 module that works with windows system! an Apache 2.4.x module Automated testing (Continuous Integration) for Apache module! Support for legitimate cross-domain requests!
  18. 18. OWASP CSRF Protector Project Project Leader Abbas Naderi Primary Contributor <— — — — — — — That’s me! Project Mentors Kevin W. Wall & Jim Manico Other Contributors Abhinav Dahiya Based on paper: automatic CSRF protection for Web 2.0 applications by R. Sekar & Riccardo Pelizzi
  19. 19. OWASP Project Wiki: https://owasp.org/index.php/CSRFProtector_Project Minhaz minhaz@owasp.org github: mebjas twitter: minhazav Feedbacks? Questions? Want to learn / Discuss design of the library - talk to me!

×