SlideShare a Scribd company logo

OWASP CSRF Protector

Download as PPTX, PDF
Minhaz A V
Minhaz A V

OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x module which helps web developer/ system administrator to mitigate CSRF vulnerability in their web application with ease.

Software
1 of 28
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP CSRF Protector Minhaz 3rd year, Computer Engineering Delhi Technological University minhaz@owasp.org 20.09.14
OWASP What all I’ll cover? Very brief introduction of CSRF Introduction: CSRF Protector Project Software Design Brief introduction on implementation & final products Salient Features Roadmaps & Plans Feedbacks & Questions 2
OWASP 3 So what’s CSRF? SKIP
OWASP 4 Nice Server http://www.bestbank.com Admin ******** BestBank Login Page Login Forgot Password? Protected by 128 bit encryption ….. Request URL: http://www.bestbank.com/ ….. ….. Form Data: username=Admin&password=Password ….. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-chec k=0 Connection: Keep-Alive … Set-Cookie: SESSID=hhiksdh234; expires=Wed, 10-Sep-2014 20:32:50 GMT Cross Site Request Forgery
OWASP Nice Server http://www.bestbank.com Welcome AdminMoney Transfer BestBank.com
OWASP Nice Server http://www.bestbank.com/moneytransfer.php Welcome AdminBestBank Money Transfer 10002 Transfer Receiver's Account No Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=10002&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23 1,00,000Amount
OWASP Evil Server http://www.evil.com Evil Contents are always nice!! Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=1337&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23
OWASP Nice Server http://www.bestbank.com/summary/ Welcome AdminBestBank Transactions Sl No Account No Amount Date Balance 1 10002 INR 100000 10.09.14 INR 1500000 2 1337 INR 100000 11.09.14 INR 1400000
OWASP Other possibilities: If there is CSRF vulnerability in admin panel of a website, whole website can be compromised! Hijacking primary DNS server setting of your router! -> phishing, mitm etc.! …Add more! Want to see it work? Visit superlogout.com Read More at OWASP CSRF Cheat Sheets, Just Google it! 9
OWASP CSRF Protector Project Project Leader Abbas Naderi Primary Contributor that’s me! Project Mentors Kevin W. Wall & Jim Manico Other Contributors Abhinav Dahiya 10
OWASP CSRF Protector Project 11 A new anti-CSRF method to protect web applications! It has two parts for now: A standalone php library An Apache 2.x.x module
OWASP
OWASP … … web application logic … Server Side Interceptor / Input Filter Output Filter Request from client Response to client
OWASP Has token in cookie (C) Has token in request (T) C == T Allow the request, Generate another Pseudo Random token & send it back to client! Take Action as per configuration: • Send back a 403 • Send back a 404 • Show a custom error message • Redirect user to a custom URL • Strip all request arguments and allow the request Yes Yes Yes No No No BACKServer Side Interceptor / Input Filter
OWASP Output Filter • Works on Regular Expression based matching! • It injects a JavaScript code just after the closing </body> tag when there is an HTML output. • Our Normal versions also injects a <noscript> tag and a message inside it, asking user to enable JavaScript if not already done! We also have a version that works without JavaScript in case of php library
OWASP The JavaScript's job It does the primary job! The JavaScript code running on client’s machine ensure that, for each request that needs CSRF validation a token is attached to it at the point of dispatch! So, tokens are attached with every POST request and certain GET requests (allowed by rules in configuration) originating from the browser! Something which attacker cannot craft! 16
OWASP
OWASP Correctness of the design Scripts running on attacker’s website cannot retrieve token from other websites, because of Same Origin Policy of browsers! Attacker cannot use his token to authenticate requests in other websites. Attacker cannot guess tokens based on ones he has as each time a new pseudo random token is generated for each request (& each user). And PRNG in reseeded after every 10000 requests! 18
OWASP
OWASP 20 Standalone library for CSRF Mitigation in php based applications. Can be easily integrated with existing web applications or can be used while developing new ones. Features: 1. Highly customisable! 2. Supports POST / GET requests! 3. Easy to alter according to your needs! 4. Works well with all php versions > 5.0
OWASP • It can be easily installed on apache 2.2 servers! Its distributed as a shared object file! • Easy to configure, by modifying fields in httpd.conf file (Apache’s configuration file) • Developer doesn’t need to make any changes to its web applications, so even server administrator can implement this in their servers. • Has currently been tested with Linux (Ubuntu) and OS X only!
OWASP 22
OWASP 23 Easy to work with or Integrate 1
OWASP 24 Supports AJAX & dynamic forms 2 • We also have custom wrappers in JS that ensures that our injected token doesn’t creates any conflict when developer designed logic for form validation functions! • We support the old attachEvent() & ActiveObject() methods that exist in IE ( <= 6.0)
OWASP 25 Supports GET requests! 3 We use these type of regex rules to match urls at time of validation & pass it on to JavaScript code so that it knows what all requests to attach tokens with! Its stored in configuration!
OWASP A better option for apps that support plugins 4 For example wordpress!
OWASP Roadmaps? Apache 2.2 module that works with windows system! Automated testing (Continuous Integration) for Apache module! Support for legitimate cross-domain requests! 27
OWASP https://owasp.org/index.php/CSRFProtector_Project

Recommended

Csrf protector
Csrf protectorCsrf protector
Csrf protector
Minhaz A V
 
The moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaThe moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp Sofia
Marko Heijnen
 
Csp july2015
Csp july2015Csp july2015
Csp july2015
n|u - The Open Security Community
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
Joomla spécialiste
Joomla spécialisteJoomla spécialiste
Joomla spécialiste
Romain Caisse
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
Manjyot Singh
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 

Recommended

Csrf protector
Csrf protectorCsrf protector
Csrf protector
Minhaz A V
 
The moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaThe moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp Sofia
Marko Heijnen
 
Csp july2015
Csp july2015Csp july2015
Csp july2015
n|u - The Open Security Community
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
Joomla spécialiste
Joomla spécialisteJoomla spécialiste
Joomla spécialiste
Romain Caisse
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
Manjyot Singh
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
n|u - The Open Security Community
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
Android Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAndroid Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) Professionals
Anant Shrivastava
 
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/MinAdvanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Masahiro Nagano
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
Progressive Web App Testing With Cypress.io
Progressive Web App Testing With Cypress.ioProgressive Web App Testing With Cypress.io
Progressive Web App Testing With Cypress.io
Knoldus Inc.
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
SQL INJECTIONS EVERY TESTER NEEDS TO KNOWSQL INJECTIONS EVERY TESTER NEEDS TO KNOW
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
Vladimir Arutin
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
Priyanka Aash
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 

More Related Content

What's hot

Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
n|u - The Open Security Community
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
Android Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAndroid Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) Professionals
Anant Shrivastava
 
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/MinAdvanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Masahiro Nagano
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
Progressive Web App Testing With Cypress.io
Progressive Web App Testing With Cypress.ioProgressive Web App Testing With Cypress.io
Progressive Web App Testing With Cypress.io
Knoldus Inc.
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
SQL INJECTIONS EVERY TESTER NEEDS TO KNOWSQL INJECTIONS EVERY TESTER NEEDS TO KNOW
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
Vladimir Arutin
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
Priyanka Aash
 

What's hot (20)

Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 
Android Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAndroid Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) Professionals
 
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/MinAdvanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
 
Progressive Web App Testing With Cypress.io
Progressive Web App Testing With Cypress.ioProgressive Web App Testing With Cypress.io
Progressive Web App Testing With Cypress.io
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
 
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
SQL INJECTIONS EVERY TESTER NEEDS TO KNOWSQL INJECTIONS EVERY TESTER NEEDS TO KNOW
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 

Similar to OWASP CSRF Protector

How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Openwhisk - Colorado Meetups
Openwhisk - Colorado MeetupsOpenwhisk - Colorado Meetups
Openwhisk - Colorado Meetups
Upkar Lidder
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Nathen Harvey
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
My Saminar On Php
My Saminar On PhpMy Saminar On Php
My Saminar On Php
Arjun Kumawat
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
Laravel overview
Laravel overviewLaravel overview
Laravel overview
Obinna Akunne
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for Developers
Amazon Web Services
 
Know about cake php framework with vertexplus
Know about cake php framework with vertexplusKnow about cake php framework with vertexplus
Know about cake php framework with vertexplus
VertexPlus Softwares Pvt. Ltd.
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
Tubagus Rizky Dharmawan
 

Similar to OWASP CSRF Protector (20)

How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Openwhisk - Colorado Meetups
Openwhisk - Colorado MeetupsOpenwhisk - Colorado Meetups
Openwhisk - Colorado Meetups
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
My Saminar On Php
My Saminar On PhpMy Saminar On Php
My Saminar On Php
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Laravel overview
Laravel overviewLaravel overview
Laravel overview
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for Developers
 
Know about cake php framework with vertexplus
Know about cake php framework with vertexplusKnow about cake php framework with vertexplus
Know about cake php framework with vertexplus
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 

Recently uploaded

Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
dakas1
 
fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.
AnkitaPandya11
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
sjcobrien
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
Karya Keeper
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
Marcin Chrost
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
ShulagnaSarkar2
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
Bert Jan Schrijver
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
mz5nrf0n
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 

Recently uploaded (20)

Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
 
fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 

OWASP CSRF Protector

  • 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP CSRF Protector Minhaz 3rd year, Computer Engineering Delhi Technological University minhaz@owasp.org 20.09.14
  • 2. OWASP What all I’ll cover? Very brief introduction of CSRF Introduction: CSRF Protector Project Software Design Brief introduction on implementation & final products Salient Features Roadmaps & Plans Feedbacks & Questions 2
  • 3. OWASP 3 So what’s CSRF? SKIP
  • 4. OWASP 4 Nice Server http://www.bestbank.com Admin ******** BestBank Login Page Login Forgot Password? Protected by 128 bit encryption ….. Request URL: http://www.bestbank.com/ ….. ….. Form Data: username=Admin&password=Password ….. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-chec k=0 Connection: Keep-Alive … Set-Cookie: SESSID=hhiksdh234; expires=Wed, 10-Sep-2014 20:32:50 GMT Cross Site Request Forgery
  • 6. OWASP Nice Server http://www.bestbank.com/moneytransfer.php Welcome AdminBestBank Money Transfer 10002 Transfer Receiver's Account No Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=10002&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23 1,00,000Amount
  • 7. OWASP Evil Server http://www.evil.com Evil Contents are always nice!! Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=1337&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23
  • 8. OWASP Nice Server http://www.bestbank.com/summary/ Welcome AdminBestBank Transactions Sl No Account No Amount Date Balance 1 10002 INR 100000 10.09.14 INR 1500000 2 1337 INR 100000 11.09.14 INR 1400000
  • 9. OWASP Other possibilities: If there is CSRF vulnerability in admin panel of a website, whole website can be compromised! Hijacking primary DNS server setting of your router! -> phishing, mitm etc.! …Add more! Want to see it work? Visit superlogout.com Read More at OWASP CSRF Cheat Sheets, Just Google it! 9
  • 10. OWASP CSRF Protector Project Project Leader Abbas Naderi Primary Contributor that’s me! Project Mentors Kevin W. Wall & Jim Manico Other Contributors Abhinav Dahiya 10
  • 11. OWASP CSRF Protector Project 11 A new anti-CSRF method to protect web applications! It has two parts for now: A standalone php library An Apache 2.x.x module
  • 12. OWASP
  • 13. OWASP … … web application logic … Server Side Interceptor / Input Filter Output Filter Request from client Response to client
  • 14. OWASP Has token in cookie (C) Has token in request (T) C == T Allow the request, Generate another Pseudo Random token & send it back to client! Take Action as per configuration: • Send back a 403 • Send back a 404 • Show a custom error message • Redirect user to a custom URL • Strip all request arguments and allow the request Yes Yes Yes No No No BACKServer Side Interceptor / Input Filter
  • 15. OWASP Output Filter • Works on Regular Expression based matching! • It injects a JavaScript code just after the closing </body> tag when there is an HTML output. • Our Normal versions also injects a <noscript> tag and a message inside it, asking user to enable JavaScript if not already done! We also have a version that works without JavaScript in case of php library
  • 16. OWASP The JavaScript's job It does the primary job! The JavaScript code running on client’s machine ensure that, for each request that needs CSRF validation a token is attached to it at the point of dispatch! So, tokens are attached with every POST request and certain GET requests (allowed by rules in configuration) originating from the browser! Something which attacker cannot craft! 16
  • 17. OWASP
  • 18. OWASP Correctness of the design Scripts running on attacker’s website cannot retrieve token from other websites, because of Same Origin Policy of browsers! Attacker cannot use his token to authenticate requests in other websites. Attacker cannot guess tokens based on ones he has as each time a new pseudo random token is generated for each request (& each user). And PRNG in reseeded after every 10000 requests! 18
  • 19. OWASP
  • 20. OWASP 20 Standalone library for CSRF Mitigation in php based applications. Can be easily integrated with existing web applications or can be used while developing new ones. Features: 1. Highly customisable! 2. Supports POST / GET requests! 3. Easy to alter according to your needs! 4. Works well with all php versions > 5.0
  • 21. OWASP • It can be easily installed on apache 2.2 servers! Its distributed as a shared object file! • Easy to configure, by modifying fields in httpd.conf file (Apache’s configuration file) • Developer doesn’t need to make any changes to its web applications, so even server administrator can implement this in their servers. • Has currently been tested with Linux (Ubuntu) and OS X only!
  • 23. OWASP 23 Easy to work with or Integrate 1
  • 24. OWASP 24 Supports AJAX & dynamic forms 2 • We also have custom wrappers in JS that ensures that our injected token doesn’t creates any conflict when developer designed logic for form validation functions! • We support the old attachEvent() & ActiveObject() methods that exist in IE ( <= 6.0)
  • 25. OWASP 25 Supports GET requests! 3 We use these type of regex rules to match urls at time of validation & pass it on to JavaScript code so that it knows what all requests to attach tokens with! Its stored in configuration!
  • 26. OWASP A better option for apps that support plugins 4 For example wordpress!
  • 27. OWASP Roadmaps? Apache 2.2 module that works with windows system! Automated testing (Continuous Integration) for Apache module! Support for legitimate cross-domain requests! 27