Minhaz A V, profile picture
Uploaded byMinhaz A V
PPTX, PDF867 views

OWASP CSRF Protector

The document discusses the OWASP CSRF Protector project, which aims to mitigate cross-site request forgery (CSRF) vulnerabilities in web applications. It provides an overview of the CSRF concept, the architecture of the protector, its implementation, and future plans. Key features include a standalone PHP library and an Apache module, emphasizing customization and security measures to protect user requests.

Embed presentation

Downloaded 13 times
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP CSRF Protector Minhaz 3rd year, Computer Engineering Delhi Technological University minhaz@owasp.org 20.09.14
OWASP What all I’ll cover? Very brief introduction of CSRF Introduction: CSRF Protector Project Software Design Brief introduction on implementation & final products Salient Features Roadmaps & Plans Feedbacks & Questions 2
OWASP 3 So what’s CSRF? SKIP
OWASP 4 Nice Server http://www.bestbank.com Admin ******** BestBank Login Page Login Forgot Password? Protected by 128 bit encryption ….. Request URL: http://www.bestbank.com/ ….. ….. Form Data: username=Admin&password=Password ….. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-chec k=0 Connection: Keep-Alive … Set-Cookie: SESSID=hhiksdh234; expires=Wed, 10-Sep-2014 20:32:50 GMT Cross Site Request Forgery
OWASP Nice Server http://www.bestbank.com Welcome AdminMoney Transfer BestBank.com
OWASP Nice Server http://www.bestbank.com/moneytransfer.php Welcome AdminBestBank Money Transfer 10002 Transfer Receiver's Account No Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=10002&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23 1,00,000Amount
OWASP Evil Server http://www.evil.com Evil Contents are always nice!! Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=1337&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23
OWASP Nice Server http://www.bestbank.com/summary/ Welcome AdminBestBank Transactions Sl No Account No Amount Date Balance 1 10002 INR 100000 10.09.14 INR 1500000 2 1337 INR 100000 11.09.14 INR 1400000
OWASP Other possibilities: If there is CSRF vulnerability in admin panel of a website, whole website can be compromised! Hijacking primary DNS server setting of your router! -> phishing, mitm etc.! …Add more! Want to see it work? Visit superlogout.com Read More at OWASP CSRF Cheat Sheets, Just Google it! 9
OWASP CSRF Protector Project Project Leader Abbas Naderi Primary Contributor that’s me! Project Mentors Kevin W. Wall & Jim Manico Other Contributors Abhinav Dahiya 10
OWASP CSRF Protector Project 11 A new anti-CSRF method to protect web applications! It has two parts for now: A standalone php library An Apache 2.x.x module
OWASP
OWASP … … web application logic … Server Side Interceptor / Input Filter Output Filter Request from client Response to client
OWASP Has token in cookie (C) Has token in request (T) C == T Allow the request, Generate another Pseudo Random token & send it back to client! Take Action as per configuration: • Send back a 403 • Send back a 404 • Show a custom error message • Redirect user to a custom URL • Strip all request arguments and allow the request Yes Yes Yes No No No BACKServer Side Interceptor / Input Filter
OWASP Output Filter • Works on Regular Expression based matching! • It injects a JavaScript code just after the closing </body> tag when there is an HTML output. • Our Normal versions also injects a <noscript> tag and a message inside it, asking user to enable JavaScript if not already done! We also have a version that works without JavaScript in case of php library
OWASP The JavaScript's job It does the primary job! The JavaScript code running on client’s machine ensure that, for each request that needs CSRF validation a token is attached to it at the point of dispatch! So, tokens are attached with every POST request and certain GET requests (allowed by rules in configuration) originating from the browser! Something which attacker cannot craft! 16
OWASP
OWASP Correctness of the design Scripts running on attacker’s website cannot retrieve token from other websites, because of Same Origin Policy of browsers! Attacker cannot use his token to authenticate requests in other websites. Attacker cannot guess tokens based on ones he has as each time a new pseudo random token is generated for each request (& each user). And PRNG in reseeded after every 10000 requests! 18
OWASP
OWASP 20 Standalone library for CSRF Mitigation in php based applications. Can be easily integrated with existing web applications or can be used while developing new ones. Features: 1. Highly customisable! 2. Supports POST / GET requests! 3. Easy to alter according to your needs! 4. Works well with all php versions > 5.0
OWASP • It can be easily installed on apache 2.2 servers! Its distributed as a shared object file! • Easy to configure, by modifying fields in httpd.conf file (Apache’s configuration file) • Developer doesn’t need to make any changes to its web applications, so even server administrator can implement this in their servers. • Has currently been tested with Linux (Ubuntu) and OS X only!
OWASP 22
OWASP 23 Easy to work with or Integrate 1
OWASP 24 Supports AJAX & dynamic forms 2 • We also have custom wrappers in JS that ensures that our injected token doesn’t creates any conflict when developer designed logic for form validation functions! • We support the old attachEvent() & ActiveObject() methods that exist in IE ( <= 6.0)
OWASP 25 Supports GET requests! 3 We use these type of regex rules to match urls at time of validation & pass it on to JavaScript code so that it knows what all requests to attach tokens with! Its stored in configuration!
OWASP A better option for apps that support plugins 4 For example wordpress!
OWASP Roadmaps? Apache 2.2 module that works with windows system! Automated testing (Continuous Integration) for Apache module! Support for legitimate cross-domain requests! 27
OWASP https://owasp.org/index.php/CSRFProtector_Project

More Related Content

PPTX
Csrf protector
byMinhaz A V
 
PDF
The moment my site got hacked - WordCamp Sofia
byMarko Heijnen
 
PPTX
Csp july2015
byn|u - The Open Security Community
 
PDF
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
byMichael Coates
 
PPTX
Joomla spécialiste
byRomain Caisse
 
PPTX
Security Testing - Zap It
byManjyot Singh
 
PPTX
Learn to pen-test with OWASP ZAP
byPaul Ionescu
 
PPTX
OWASP Zed Attack Proxy
byFadi Abdulwahab
 
Csrf protector
byMinhaz A V
 
The moment my site got hacked - WordCamp Sofia
byMarko Heijnen
 
Csp july2015
byn|u - The Open Security Community
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
byMichael Coates
 
Joomla spécialiste
byRomain Caisse
 
Security Testing - Zap It
byManjyot Singh
 
Learn to pen-test with OWASP ZAP
byPaul Ionescu
 
OWASP Zed Attack Proxy
byFadi Abdulwahab
 

What's hot

PDF
Android Pentesting
byn|u - The Open Security Community
 
ODP
OWASP WTE - Now in the Cloud!
byMatt Tesauro
 
ODP
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
bygmaran23
 
PDF
Android Tamer: Virtual Machine for Android (Security) Professionals
byAnant Shrivastava
 
PDF
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
byMasahiro Nagano
 
ODP
2014 ZAP Workshop 2: Contexts and Fuzzing
bySimon Bennetts
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
bygmaran23
 
ODP
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
bygmaran23
 
PPTX
Progressive Web App Testing With Cypress.io
byKnoldus Inc.
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
byChristian Schneider
 
PDF
Zed Attack Proxy (ZAP)
byJAINAM KAPADIYA
 
ODP
OWASP 2013 Limerick - ZAP: Whats even newer
bySimon Bennetts
 
PDF
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
ODP
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
bygmaran23
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
ODP
2014 ZAP Workshop 1: Getting Started
bySimon Bennetts
 
PDF
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
byVladimir Arutin
 
ODP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
bySimon Bennetts
 
ODP
BSides Manchester 2014 ZAP Advanced Features
bySimon Bennetts
 
PDF
Technical Architecture of RASP Technology
byPriyanka Aash
 
Android Pentesting
byn|u - The Open Security Community
 
OWASP WTE - Now in the Cloud!
byMatt Tesauro
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
bygmaran23
 
Android Tamer: Virtual Machine for Android (Security) Professionals
byAnant Shrivastava
 
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
byMasahiro Nagano
 
2014 ZAP Workshop 2: Contexts and Fuzzing
bySimon Bennetts
 
Devouring Security Insufficient data validation risks Cross Site Scripting
bygmaran23
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
bygmaran23
 
Progressive Web App Testing With Cypress.io
byKnoldus Inc.
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
byChristian Schneider
 
Zed Attack Proxy (ZAP)
byJAINAM KAPADIYA
 
OWASP 2013 Limerick - ZAP: Whats even newer
bySimon Bennetts
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
bygmaran23
 
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
2014 ZAP Workshop 1: Getting Started
bySimon Bennetts
 
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
byVladimir Arutin
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
bySimon Bennetts
 
BSides Manchester 2014 ZAP Advanced Features
bySimon Bennetts
 
Technical Architecture of RASP Technology
byPriyanka Aash
 

Similar to OWASP CSRF Protector

PPTX
Mitigating CSRF with two lines of codes
byMinhaz A V
 
PPT
WebApps_Lecture_15.ppt
byOmprakashVerma56
 
PPT
OWASP Serbia - A5 cross-site request forgery
byNikola Milosevic
 
PPTX
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
byNilesh Sapariya
 
PDF
Modern Web Application Defense
byFrank Kim
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PPTX
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
byOWASP Khartoum
 
PPTX
Cross site request forgery(csrf)
byAi Sha
 
PPTX
CSRF
byAkanksha Raikwar
 
PDF
CSRF Basics
byn|u - The Open Security Community
 
PPT
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
byjangomanso
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
PPT
Owasp top 10
byAravindharamanan S
 
PDF
Understanding CSRF
byPotato
 
PDF
Cyber Security Workshop @SPIT- 3rd October 2015
byNilesh Sapariya
 
PPT
Cross Site Request Forgery
byTony Bibbs
 
PDF
Protecting Your Web Applications: How to Prevent Cross-Site Request Forgery (...
bySecuodsoft
 
PPTX
JSON based CSRF
byAmit Dubey
 
PPTX
CSRF 101
byaaron bishop
 
PPT
CSRF_RSA_2008_Jeremiah_Grossman
byguestdb261a
 
Mitigating CSRF with two lines of codes
byMinhaz A V
 
WebApps_Lecture_15.ppt
byOmprakashVerma56
 
OWASP Serbia - A5 cross-site request forgery
byNikola Milosevic
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
byNilesh Sapariya
 
Modern Web Application Defense
byFrank Kim
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
byOWASP Khartoum
 
Cross site request forgery(csrf)
byAi Sha
 
CSRF
byAkanksha Raikwar
 
CSRF Basics
byn|u - The Open Security Community
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
byjangomanso
 
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
Owasp top 10
byAravindharamanan S
 
Understanding CSRF
byPotato
 
Cyber Security Workshop @SPIT- 3rd October 2015
byNilesh Sapariya
 
Cross Site Request Forgery
byTony Bibbs
 
Protecting Your Web Applications: How to Prevent Cross-Site Request Forgery (...
bySecuodsoft
 
JSON based CSRF
byAmit Dubey
 
CSRF 101
byaaron bishop
 
CSRF_RSA_2008_Jeremiah_Grossman
byguestdb261a
 

Recently uploaded

PDF
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
PDF
Hack&Verse Kick-off and infor session Event ppt
bysanidhyasahu1120
 
PDF
Incident Management Roles & Responsibilities.pdf
byTaskCall
 
PDF
828275126-INTUNE-Instructor-Handout-Part2.pdf
byamdusias67
 
PDF
DSD-INT 2025 iMOD Coupler - coupling Ribasim – MetaSWAP – MODFLOW 6 - Leander
byDeltares
 
PDF
Healthcare Mobile App Development: Features & Benefits
byjoealwyn38
 
PPTX
Orion Context Broker introduction 20260114
byFermin Galan
 
PDF
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
PPTX
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
PPTX
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
PPTX
Free AI Paraphrasing Tool to Rewrite Sentences – SENTENCIFY
bySENTENCIFY
 
PDF
Transferring Ideas to Impact -Driving Innovation and Demand with OnePlan
byOnePlan Solutions
 
PPTX
Introduction to Software Development and Modern Practices
byM Munim
 
PDF
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
PPTX
EMR Software for Gynaecology Clinics How EasyClinic Supports Continuity, Priv...
byEasy Clinic
 
PPTX
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
PDF
DSD-INT 2025 Groundwater table lowering due to surface water lowering - Reusen
byDeltares
 
PDF
IT Estate Modernization Solutions for Cloud-Ready Businesses.pdf
byAstuteBusiness
 
PDF
DSD-INT 2025 iMOD Parallel coupler development plan - Verkaik
byDeltares
 
PPTX
Project System Presentation details process presentation
bytejpratappandey4
 
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
Hack&Verse Kick-off and infor session Event ppt
bysanidhyasahu1120
 
Incident Management Roles & Responsibilities.pdf
byTaskCall
 
828275126-INTUNE-Instructor-Handout-Part2.pdf
byamdusias67
 
DSD-INT 2025 iMOD Coupler - coupling Ribasim – MetaSWAP – MODFLOW 6 - Leander
byDeltares
 
Healthcare Mobile App Development: Features & Benefits
byjoealwyn38
 
Orion Context Broker introduction 20260114
byFermin Galan
 
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
Free AI Paraphrasing Tool to Rewrite Sentences – SENTENCIFY
bySENTENCIFY
 
Transferring Ideas to Impact -Driving Innovation and Demand with OnePlan
byOnePlan Solutions
 
Introduction to Software Development and Modern Practices
byM Munim
 
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
EMR Software for Gynaecology Clinics How EasyClinic Supports Continuity, Priv...
byEasy Clinic
 
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
DSD-INT 2025 Groundwater table lowering due to surface water lowering - Reusen
byDeltares
 
IT Estate Modernization Solutions for Cloud-Ready Businesses.pdf
byAstuteBusiness
 
DSD-INT 2025 iMOD Parallel coupler development plan - Verkaik
byDeltares
 
Project System Presentation details process presentation
bytejpratappandey4
 

OWASP CSRF Protector

  • 1.
    Copyright © TheOWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP CSRF Protector Minhaz 3rd year, Computer Engineering Delhi Technological University minhaz@owasp.org 20.09.14
  • 2.
    OWASP What all I’llcover? Very brief introduction of CSRF Introduction: CSRF Protector Project Software Design Brief introduction on implementation & final products Salient Features Roadmaps & Plans Feedbacks & Questions 2
  • 3.
  • 4.
    OWASP 4 Nice Server http://www.bestbank.com Admin ******** BestBankLogin Page Login Forgot Password? Protected by 128 bit encryption ….. Request URL: http://www.bestbank.com/ ….. ….. Form Data: username=Admin&password=Password ….. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-chec k=0 Connection: Keep-Alive … Set-Cookie: SESSID=hhiksdh234; expires=Wed, 10-Sep-2014 20:32:50 GMT Cross Site Request Forgery
  • 5.
  • 6.
    OWASP Nice Server http://www.bestbank.com/moneytransfer.php Welcome AdminBestBankMoney Transfer 10002 Transfer Receiver's Account No Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=10002&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23 1,00,000Amount
  • 7.
    OWASP Evil Server http://www.evil.com Evil Contentsare always nice!! Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=1337&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23
  • 8.
    OWASP Nice Server http://www.bestbank.com/summary/ Welcome AdminBestBankTransactions Sl No Account No Amount Date Balance 1 10002 INR 100000 10.09.14 INR 1500000 2 1337 INR 100000 11.09.14 INR 1400000
  • 9.
    OWASP Other possibilities: If thereis CSRF vulnerability in admin panel of a website, whole website can be compromised! Hijacking primary DNS server setting of your router! -> phishing, mitm etc.! …Add more! Want to see it work? Visit superlogout.com Read More at OWASP CSRF Cheat Sheets, Just Google it! 9
  • 10.
    OWASP CSRF Protector Project ProjectLeader Abbas Naderi Primary Contributor that’s me! Project Mentors Kevin W. Wall & Jim Manico Other Contributors Abhinav Dahiya 10
  • 11.
    OWASP CSRF Protector Project 11 Anew anti-CSRF method to protect web applications! It has two parts for now: A standalone php library An Apache 2.x.x module
  • 12.
  • 13.
    OWASP … … web application logic … ServerSide Interceptor / Input Filter Output Filter Request from client Response to client
  • 14.
    OWASP Has token in cookie (C) Has token in request (T) C== T Allow the request, Generate another Pseudo Random token & send it back to client! Take Action as per configuration: • Send back a 403 • Send back a 404 • Show a custom error message • Redirect user to a custom URL • Strip all request arguments and allow the request Yes Yes Yes No No No BACKServer Side Interceptor / Input Filter
  • 15.
    OWASP Output Filter • Workson Regular Expression based matching! • It injects a JavaScript code just after the closing </body> tag when there is an HTML output. • Our Normal versions also injects a <noscript> tag and a message inside it, asking user to enable JavaScript if not already done! We also have a version that works without JavaScript in case of php library
  • 16.
    OWASP The JavaScript's job Itdoes the primary job! The JavaScript code running on client’s machine ensure that, for each request that needs CSRF validation a token is attached to it at the point of dispatch! So, tokens are attached with every POST request and certain GET requests (allowed by rules in configuration) originating from the browser! Something which attacker cannot craft! 16
  • 17.
  • 18.
    OWASP Correctness of thedesign Scripts running on attacker’s website cannot retrieve token from other websites, because of Same Origin Policy of browsers! Attacker cannot use his token to authenticate requests in other websites. Attacker cannot guess tokens based on ones he has as each time a new pseudo random token is generated for each request (& each user). And PRNG in reseeded after every 10000 requests! 18
  • 19.
  • 20.
    OWASP 20 Standalone libraryfor CSRF Mitigation in php based applications. Can be easily integrated with existing web applications or can be used while developing new ones. Features: 1. Highly customisable! 2. Supports POST / GET requests! 3. Easy to alter according to your needs! 4. Works well with all php versions > 5.0
  • 21.
    OWASP • It canbe easily installed on apache 2.2 servers! Its distributed as a shared object file! • Easy to configure, by modifying fields in httpd.conf file (Apache’s configuration file) • Developer doesn’t need to make any changes to its web applications, so even server administrator can implement this in their servers. • Has currently been tested with Linux (Ubuntu) and OS X only!
  • 22.
  • 23.
    OWASP 23 Easy towork with or Integrate 1
  • 24.
    OWASP 24 Supports AJAX& dynamic forms 2 • We also have custom wrappers in JS that ensures that our injected token doesn’t creates any conflict when developer designed logic for form validation functions! • We support the old attachEvent() & ActiveObject() methods that exist in IE ( <= 6.0)
  • 25.
    OWASP 25 Supports GETrequests! 3 We use these type of regex rules to match urls at time of validation & pass it on to JavaScript code so that it knows what all requests to attach tokens with! Its stored in configuration!
  • 26.
    OWASP A better optionfor apps that support plugins 4 For example wordpress!
  • 27.
    OWASP Roadmaps? Apache 2.2 modulethat works with windows system! Automated testing (Continuous Integration) for Apache module! Support for legitimate cross-domain requests! 27
  • 28.