SlideShare a Scribd company logo

OWASP CSRF Protector_Minhaz

Download as PPTX, PDF
OWASP Delhi
OWASP Delhi

OWASP CSRF Protector by Minhaz A V @ Combined OWASP/null Delhi Meet on 20/09/2015

Technology
1 of 28
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP CSRF Protector Minhaz 3rd year, Computer Engineering Delhi Technological University minhaz@owasp.org 20.09.14
OWASP What all I’ll cover? Very brief introduction of CSRF Introduction: CSRF Protector Project Software Design Brief introduction on implementation & final products Salient Features Roadmaps & Plans Feedbacks & Questions 2
OWASP 3 So what’s CSRF? SKIP
OWASP 4 Nice Server http://www.bestbank.com Admin ******** BestBank Login Page Login Forgot Password? Protected by 128 bit encryption ….. Request URL: http://www.bestbank.com/ ….. ….. Form Data: username=Admin&password=Password ….. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-chec k=0 Connection: Keep-Alive … Set-Cookie: SESSID=hhiksdh234; expires=Wed, 10-Sep-2014 20:32:50 GMT Cross Site Request Forgery
OWASP Nice Server http://www.bestbank.com Welcome AdminMoney Transfer BestBank.com
OWASP Nice Server http://www.bestbank.com/moneytransfer.php Welcome AdminBestBank Money Transfer 10002 Transfer Receiver's Account No Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=10002&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23 1,00,000Amount
OWASP Evil Server http://www.evil.com Evil Contents are always nice!! Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=1337&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23
OWASP Nice Server http://www.bestbank.com/summary/ Welcome AdminBestBank Transactions Sl No Account No Amount Date Balance 1 10002 INR 100000 10.09.14 INR 1500000 2 1337 INR 100000 11.09.14 INR 1400000
OWASP Other possibilities: If there is CSRF vulnerability in admin panel of a website, whole website can be compromised! Hijacking primary DNS server setting of your router! -> phishing, mitm etc.! …Add more! Want to see it work? Visit superlogout.com Read More at OWASP CSRF Cheat Sheets, Just Google it! 9
OWASP CSRF Protector Project Project Leader Abbas Naderi Primary Contributor that’s me! Project Mentors Kevin W. Wall & Jim Manico Other Contributors Abhinav Dahiya 10
OWASP CSRF Protector Project 11 A new anti-CSRF method to protect web applications! It has two parts for now: A standalone php library An Apache 2.x.x module
OWASP
OWASP … … web application logic … Server Side Interceptor / Input Filter Output Filter Request from client Response to client
OWASP Has token in cookie (C) Has token in request (T) C == T Allow the request, Generate another Pseudo Random token & send it back to client! Take Action as per configuration: • Send back a 403 • Send back a 404 • Show a custom error message • Redirect user to a custom URL • Strip all request arguments and allow the request Yes Yes Yes No No No BACKServer Side Interceptor / Input Filter
OWASP Output Filter • Works on Regular Expression based matching! • It injects a JavaScript code just after the closing </body> tag when there is an HTML output. • Our Normal versions also injects a <noscript> tag and a message inside it, asking user to enable JavaScript if not already done! We also have a version that works without JavaScript in case of php library
OWASP The JavaScript's job It does the primary job! The JavaScript code running on client’s machine ensure that, for each request that needs CSRF validation a token is attached to it at the point of dispatch! So, tokens are attached with every POST request and certain GET requests (allowed by rules in configuration) originating from the browser! Something which attacker cannot craft! 16
OWASP
OWASP Correctness of the design Scripts running on attacker’s website cannot retrieve token from other websites, because of Same Origin Policy of browsers! Attacker cannot use his token to authenticate requests in other websites. Attacker cannot guess tokens based on ones he has as each time a new pseudo random token is generated for each request (& each user). And PRNG in reseeded after every 10000 requests! 18
OWASP
OWASP 20 Standalone library for CSRF Mitigation in php based applications. Can be easily integrated with existing web applications or can be used while developing new ones. Features: 1. Highly customisable! 2. Supports POST / GET requests! 3. Easy to alter according to your needs! 4. Works well with all php versions > 5.0
OWASP • It can be easily installed on apache 2.2 servers! Its distributed as a shared object file! • Easy to configure, by modifying fields in httpd.conf file (Apache’s configuration file) • Developer doesn’t need to make any changes to its web applications, so even server administrator can implement this in their servers. • Has currently been tested with Linux (Ubuntu) and OS X only!
OWASP 22
OWASP 23 Easy to work with or Integrate 1
OWASP 24 Supports AJAX & dynamic forms 2 • We also have custom wrappers in JS that ensures that our injected token doesn’t creates any conflict when developer designed logic for form validation functions! • We support the old attachEvent() & ActiveObject() methods that exist in IE ( <= 6.0)
OWASP 25 Supports GET requests! 3 We use these type of regex rules to match urls at time of validation & pass it on to JavaScript code so that it knows what all requests to attach tokens with! Its stored in configuration!
OWASP A better option for apps that support plugins 4 For example wordpress!
OWASP Roadmaps? Apache 2.2 module that works with windows system! Automated testing (Continuous Integration) for Apache module! Support for legitimate cross-domain requests! 27
OWASP https://owasp.org/index.php/CSRFProtector_Project

Recommended

Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
Getting Started with CloudScript
Getting Started with CloudScriptGetting Started with CloudScript
Getting Started with CloudScriptNephoScale
 
Introdcution to Adobe CQ
Introdcution to Adobe CQIntrodcution to Adobe CQ
Introdcution to Adobe CQRest West
 
IIS7 For Non IIS PFEs
IIS7 For Non IIS PFEsIIS7 For Non IIS PFEs
IIS7 For Non IIS PFEsKenny Abdiel Maita
 
Introduction to Selenium Webdriver - SpringPeople
Introduction to Selenium Webdriver - SpringPeopleIntroduction to Selenium Webdriver - SpringPeople
Introduction to Selenium Webdriver - SpringPeopleSpringPeople
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack ProxyFadi Abdulwahab
 
Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSSDefconRussia
 
플랫폼 통합을 위한 Client Module 개발 & 배포
플랫폼 통합을 위한 Client Module 개발 & 배포플랫폼 통합을 위한 Client Module 개발 & 배포
플랫폼 통합을 위한 Client Module 개발 & 배포흥래 김
 

Recommended

Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
Getting Started with CloudScript
Getting Started with CloudScriptGetting Started with CloudScript
Getting Started with CloudScriptNephoScale
 
Introdcution to Adobe CQ
Introdcution to Adobe CQIntrodcution to Adobe CQ
Introdcution to Adobe CQRest West
 
IIS7 For Non IIS PFEs
IIS7 For Non IIS PFEsIIS7 For Non IIS PFEs
IIS7 For Non IIS PFEsKenny Abdiel Maita
 
Introduction to Selenium Webdriver - SpringPeople
Introduction to Selenium Webdriver - SpringPeopleIntroduction to Selenium Webdriver - SpringPeople
Introduction to Selenium Webdriver - SpringPeopleSpringPeople
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack ProxyFadi Abdulwahab
 
Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSSDefconRussia
 
플랫폼 통합을 위한 Client Module 개발 & 배포
플랫폼 통합을 위한 Client Module 개발 & 배포플랫폼 통합을 위한 Client Module 개발 & 배포
플랫폼 통합을 위한 Client Module 개발 & 배포흥래 김
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
Web303
Web303Web303
Web303Information Technology
 
Securing applications
Securing applicationsSecuring applications
Securing applicationsColdFusionConference
 
Microsoft/Zend Webcast on Cloud Computing
Microsoft/Zend Webcast on Cloud ComputingMicrosoft/Zend Webcast on Cloud Computing
Microsoft/Zend Webcast on Cloud ComputingJosh Holmes
 
IIS interview questions and answers
IIS interview questions and answersIIS interview questions and answers
IIS interview questions and answersInterviewwiz
 
Selenium Training
Selenium Training Selenium Training
Selenium Training zasi besant
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
IIS 7.0 Architecture And Integration With Asp.Net
IIS 7.0 Architecture And Integration With Asp.NetIIS 7.0 Architecture And Integration With Asp.Net
IIS 7.0 Architecture And Integration With Asp.NetManny Siddiqui MCS, MBA, PMP
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF ServersColdFusionConference
 
Mobile for web
Mobile for webMobile for web
Mobile for webVõ Duy Tuấn
 
Meet the Selenium Grid
Meet the Selenium GridMeet the Selenium Grid
Meet the Selenium GridAlexey Nikolaenko
 
Keep Applications Online
Keep Applications OnlineKeep Applications Online
Keep Applications OnlineColdFusionConference
 
Selenium Tutorial for Beginners - TIB Academy
Selenium Tutorial for Beginners - TIB AcademySelenium Tutorial for Beginners - TIB Academy
Selenium Tutorial for Beginners - TIB AcademyTIB Academy
 
Decapitating Selenium with JavaScript
Decapitating Selenium with JavaScriptDecapitating Selenium with JavaScript
Decapitating Selenium with JavaScriptAlan Parkinson
 
Command box
Command boxCommand box
Command boxColdFusionConference
 
IIS Always-On Services
IIS Always-On ServicesIIS Always-On Services
IIS Always-On ServicesBrian Ritchie
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Securityconnectwebex
 
Root via XSS
Root via XSSRoot via XSS
Root via XSSPositive Hack Days
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with VagrantColdFusionConference
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
IMCA Capital
IMCA CapitalIMCA Capital
IMCA Capitalmcomuzzo
 

More Related Content

What's hot

Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
Microsoft/Zend Webcast on Cloud Computing
Microsoft/Zend Webcast on Cloud ComputingMicrosoft/Zend Webcast on Cloud Computing
Microsoft/Zend Webcast on Cloud ComputingJosh Holmes
 
IIS interview questions and answers
IIS interview questions and answersIIS interview questions and answers
IIS interview questions and answersInterviewwiz
 
Selenium Training
Selenium Training Selenium Training
Selenium Training zasi besant
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Selenium Tutorial for Beginners - TIB Academy
Selenium Tutorial for Beginners - TIB AcademySelenium Tutorial for Beginners - TIB Academy
Selenium Tutorial for Beginners - TIB AcademyTIB Academy
 
Decapitating Selenium with JavaScript
Decapitating Selenium with JavaScriptDecapitating Selenium with JavaScript
Decapitating Selenium with JavaScriptAlan Parkinson
 
IIS Always-On Services
IIS Always-On ServicesIIS Always-On Services
IIS Always-On ServicesBrian Ritchie
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Securityconnectwebex
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert
 

What's hot (20)

Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
 
Web303
Web303Web303
Web303
 
Securing applications
Securing applicationsSecuring applications
Securing applications
 
Microsoft/Zend Webcast on Cloud Computing
Microsoft/Zend Webcast on Cloud ComputingMicrosoft/Zend Webcast on Cloud Computing
Microsoft/Zend Webcast on Cloud Computing
 
IIS interview questions and answers
IIS interview questions and answersIIS interview questions and answers
IIS interview questions and answers
 
Selenium Training
Selenium Training Selenium Training
Selenium Training
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
 
IIS 7.0 Architecture And Integration With Asp.Net
IIS 7.0 Architecture And Integration With Asp.NetIIS 7.0 Architecture And Integration With Asp.Net
IIS 7.0 Architecture And Integration With Asp.Net
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
 
Mobile for web
Mobile for webMobile for web
Mobile for web
 
Meet the Selenium Grid
Meet the Selenium GridMeet the Selenium Grid
Meet the Selenium Grid
 
Keep Applications Online
Keep Applications OnlineKeep Applications Online
Keep Applications Online
 
Selenium Tutorial for Beginners - TIB Academy
Selenium Tutorial for Beginners - TIB AcademySelenium Tutorial for Beginners - TIB Academy
Selenium Tutorial for Beginners - TIB Academy
 
Decapitating Selenium with JavaScript
Decapitating Selenium with JavaScriptDecapitating Selenium with JavaScript
Decapitating Selenium with JavaScript
 
Command box
Command boxCommand box
Command box
 
IIS Always-On Services
IIS Always-On ServicesIIS Always-On Services
IIS Always-On Services
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Security
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with Vagrant
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
 

Viewers also liked

Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
IMCA Capital
IMCA CapitalIMCA Capital
IMCA Capitalmcomuzzo
 
2013 AMA Symposium Presentation: Dartmouth Site Redevelopment
2013 AMA Symposium Presentation: Dartmouth Site Redevelopment2013 AMA Symposium Presentation: Dartmouth Site Redevelopment
2013 AMA Symposium Presentation: Dartmouth Site RedevelopmentGene Lewis
 
κατανόηση κειμένου 2014 (1)
κατανόηση κειμένου 2014 (1)κατανόηση κειμένου 2014 (1)
κατανόηση κειμένου 2014 (1)elpitheo
 
Florance shopping
Florance shoppingFlorance shopping
Florance shoppingJack740
 
Executive summary for eden heights
Executive summary for eden heightsExecutive summary for eden heights
Executive summary for eden heightsFine and Country
 
小中学生のスマートフォンの使用を禁止すべきか?
小中学生のスマートフォンの使用を禁止すべきか?小中学生のスマートフォンの使用を禁止すべきか?
小中学生のスマートフォンの使用を禁止すべきか?Yukika Sakai
 
Raport: poczucie atrakcyjności Polek
Raport: poczucie atrakcyjności PolekRaport: poczucie atrakcyjności Polek
Raport: poczucie atrakcyjności Polekesexy
 
Oreskylaw
OreskylawOreskylaw
OreskylawJack740
 
Repair home
Repair homeRepair home
Repair homeJack740
 
سمینار آشنائی Ims
سمینار آشنائی Ims سمینار آشنائی Ims
سمینار آشنائی Ims Meisam J Moghadam
 

Viewers also liked (15)

Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
 
IMCA Capital
IMCA CapitalIMCA Capital
IMCA Capital
 
2013 AMA Symposium Presentation: Dartmouth Site Redevelopment
2013 AMA Symposium Presentation: Dartmouth Site Redevelopment2013 AMA Symposium Presentation: Dartmouth Site Redevelopment
2013 AMA Symposium Presentation: Dartmouth Site Redevelopment
 
A London Tale of Gin and Sin
A London Tale of Gin and SinA London Tale of Gin and Sin
A London Tale of Gin and Sin
 
κατανόηση κειμένου 2014 (1)
κατανόηση κειμένου 2014 (1)κατανόηση κειμένου 2014 (1)
κατανόηση κειμένου 2014 (1)
 
Beautiful Bathrooms
Beautiful BathroomsBeautiful Bathrooms
Beautiful Bathrooms
 
Florance shopping
Florance shoppingFlorance shopping
Florance shopping
 
Executive summary for eden heights
Executive summary for eden heightsExecutive summary for eden heights
Executive summary for eden heights
 
Biografia
BiografiaBiografia
Biografia
 
小中学生のスマートフォンの使用を禁止すべきか?
小中学生のスマートフォンの使用を禁止すべきか?小中学生のスマートフォンの使用を禁止すべきか?
小中学生のスマートフォンの使用を禁止すべきか?
 
Raport: poczucie atrakcyjności Polek
Raport: poczucie atrakcyjności PolekRaport: poczucie atrakcyjności Polek
Raport: poczucie atrakcyjności Polek
 
Oreskylaw
OreskylawOreskylaw
Oreskylaw
 
Repair home
Repair homeRepair home
Repair home
 
سمینار آشنائی Ims
سمینار آشنائی Ims سمینار آشنائی Ims
سمینار آشنائی Ims
 
How to meditate
How to meditateHow to meditate
How to meditate
 

Similar to OWASP CSRF Protector_Minhaz

Csrf protector
Csrf protectorCsrf protector
Csrf protectorMinhaz A V
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
Openwhisk - Colorado Meetups
Openwhisk - Colorado MeetupsOpenwhisk - Colorado Meetups
Openwhisk - Colorado MeetupsUpkar Lidder
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAmazon Web Services
 

Similar to OWASP CSRF Protector_Minhaz (20)

Csrf protector
Csrf protectorCsrf protector
Csrf protector
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Openwhisk - Colorado Meetups
Openwhisk - Colorado MeetupsOpenwhisk - Colorado Meetups
Openwhisk - Colorado Meetups
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
My Saminar On Php
My Saminar On PhpMy Saminar On Php
My Saminar On Php
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Laravel overview
Laravel overviewLaravel overview
Laravel overview
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for Developers
 
Know about cake php framework with vertexplus
Know about cake php framework with vertexplusKnow about cake php framework with vertexplus
Know about cake php framework with vertexplus
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 

More from OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeoverOWASP Delhi
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report WritingOWASP Delhi
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air GapOWASP Delhi
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container EscapesOWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using TerraformOWASP Delhi
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat IntelligenceOWASP Delhi
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelOWASP Delhi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraOWASP Delhi
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraOWASP Delhi
 

More from OWASP Delhi (20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 

Recently uploaded

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

OWASP CSRF Protector_Minhaz

  • 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP CSRF Protector Minhaz 3rd year, Computer Engineering Delhi Technological University minhaz@owasp.org 20.09.14
  • 2. OWASP What all I’ll cover? Very brief introduction of CSRF Introduction: CSRF Protector Project Software Design Brief introduction on implementation & final products Salient Features Roadmaps & Plans Feedbacks & Questions 2
  • 3. OWASP 3 So what’s CSRF? SKIP
  • 4. OWASP 4 Nice Server http://www.bestbank.com Admin ******** BestBank Login Page Login Forgot Password? Protected by 128 bit encryption ….. Request URL: http://www.bestbank.com/ ….. ….. Form Data: username=Admin&password=Password ….. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-chec k=0 Connection: Keep-Alive … Set-Cookie: SESSID=hhiksdh234; expires=Wed, 10-Sep-2014 20:32:50 GMT Cross Site Request Forgery
  • 6. OWASP Nice Server http://www.bestbank.com/moneytransfer.php Welcome AdminBestBank Money Transfer 10002 Transfer Receiver's Account No Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=10002&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23 1,00,000Amount
  • 7. OWASP Evil Server http://www.evil.com Evil Contents are always nice!! Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=1337&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23
  • 8. OWASP Nice Server http://www.bestbank.com/summary/ Welcome AdminBestBank Transactions Sl No Account No Amount Date Balance 1 10002 INR 100000 10.09.14 INR 1500000 2 1337 INR 100000 11.09.14 INR 1400000
  • 9. OWASP Other possibilities: If there is CSRF vulnerability in admin panel of a website, whole website can be compromised! Hijacking primary DNS server setting of your router! -> phishing, mitm etc.! …Add more! Want to see it work? Visit superlogout.com Read More at OWASP CSRF Cheat Sheets, Just Google it! 9
  • 10. OWASP CSRF Protector Project Project Leader Abbas Naderi Primary Contributor that’s me! Project Mentors Kevin W. Wall & Jim Manico Other Contributors Abhinav Dahiya 10
  • 11. OWASP CSRF Protector Project 11 A new anti-CSRF method to protect web applications! It has two parts for now: A standalone php library An Apache 2.x.x module
  • 12. OWASP
  • 13. OWASP … … web application logic … Server Side Interceptor / Input Filter Output Filter Request from client Response to client
  • 14. OWASP Has token in cookie (C) Has token in request (T) C == T Allow the request, Generate another Pseudo Random token & send it back to client! Take Action as per configuration: • Send back a 403 • Send back a 404 • Show a custom error message • Redirect user to a custom URL • Strip all request arguments and allow the request Yes Yes Yes No No No BACKServer Side Interceptor / Input Filter
  • 15. OWASP Output Filter • Works on Regular Expression based matching! • It injects a JavaScript code just after the closing </body> tag when there is an HTML output. • Our Normal versions also injects a <noscript> tag and a message inside it, asking user to enable JavaScript if not already done! We also have a version that works without JavaScript in case of php library
  • 16. OWASP The JavaScript's job It does the primary job! The JavaScript code running on client’s machine ensure that, for each request that needs CSRF validation a token is attached to it at the point of dispatch! So, tokens are attached with every POST request and certain GET requests (allowed by rules in configuration) originating from the browser! Something which attacker cannot craft! 16
  • 17. OWASP
  • 18. OWASP Correctness of the design Scripts running on attacker’s website cannot retrieve token from other websites, because of Same Origin Policy of browsers! Attacker cannot use his token to authenticate requests in other websites. Attacker cannot guess tokens based on ones he has as each time a new pseudo random token is generated for each request (& each user). And PRNG in reseeded after every 10000 requests! 18
  • 19. OWASP
  • 20. OWASP 20 Standalone library for CSRF Mitigation in php based applications. Can be easily integrated with existing web applications or can be used while developing new ones. Features: 1. Highly customisable! 2. Supports POST / GET requests! 3. Easy to alter according to your needs! 4. Works well with all php versions > 5.0
  • 21. OWASP • It can be easily installed on apache 2.2 servers! Its distributed as a shared object file! • Easy to configure, by modifying fields in httpd.conf file (Apache’s configuration file) • Developer doesn’t need to make any changes to its web applications, so even server administrator can implement this in their servers. • Has currently been tested with Linux (Ubuntu) and OS X only!
  • 23. OWASP 23 Easy to work with or Integrate 1
  • 24. OWASP 24 Supports AJAX & dynamic forms 2 • We also have custom wrappers in JS that ensures that our injected token doesn’t creates any conflict when developer designed logic for form validation functions! • We support the old attachEvent() & ActiveObject() methods that exist in IE ( <= 6.0)
  • 25. OWASP 25 Supports GET requests! 3 We use these type of regex rules to match urls at time of validation & pass it on to JavaScript code so that it knows what all requests to attach tokens with! Its stored in configuration!
  • 26. OWASP A better option for apps that support plugins 4 For example wordpress!
  • 27. OWASP Roadmaps? Apache 2.2 module that works with windows system! Automated testing (Continuous Integration) for Apache module! Support for legitimate cross-domain requests! 27