9. OWASP
Other possibilities:
If there is CSRF vulnerability in admin panel of a
website, whole website can be compromised!
Hijacking primary DNS server setting of your
router! -> phishing, mitm etc.!
…Add more!
Want to see it work? Visit superlogout.com
Read More at OWASP CSRF Cheat Sheets, Just Google it! 9
10. OWASP
CSRF Protector Project
Project Leader
Abbas Naderi
Primary Contributor
that’s me!
Project Mentors
Kevin W. Wall & Jim Manico
Other Contributors
Abhinav Dahiya
10
11. OWASP
CSRF Protector Project
11
A new anti-CSRF method to protect web
applications! It has two parts for now:
A standalone php
library
An Apache 2.x.x
module
14. OWASP
Has
token in
cookie
(C)
Has
token in
request
(T)
C == T
Allow the request, Generate
another Pseudo Random
token & send it back to client!
Take Action as per
configuration:
• Send back a 403
• Send back a 404
• Show a custom error message
• Redirect user to a custom URL
• Strip all request arguments
and allow the request
Yes
Yes
Yes
No
No No
BACKServer Side Interceptor / Input Filter
15. OWASP
Output Filter
• Works on Regular Expression based matching!
• It injects a JavaScript code just after the closing </body> tag when there is an
HTML output.
• Our Normal versions also injects a <noscript> tag and a message inside it,
asking user to enable JavaScript if not already done! We also have a version that
works without JavaScript in case of php library
16. OWASP
The JavaScript's job
It does the primary job!
The JavaScript code running on client’s machine
ensure that, for each request that needs CSRF
validation a token is attached to it at the point
of dispatch!
So, tokens are attached with every POST
request and certain GET requests (allowed by
rules in configuration) originating from the
browser! Something which attacker cannot craft!
16
18. OWASP
Correctness of the design
Scripts running on attacker’s website cannot
retrieve token from other websites, because of
Same Origin Policy of browsers!
Attacker cannot use his token to authenticate
requests in other websites.
Attacker cannot guess tokens based on ones he
has as each time a new pseudo random token is
generated for each request (& each user). And
PRNG in reseeded after every 10000 requests!
18
20. OWASP 20
Standalone library for CSRF Mitigation in php based
applications. Can be easily integrated with existing web
applications or can be used while developing new ones.
Features:
1. Highly customisable!
2. Supports POST / GET requests!
3. Easy to alter according to your needs!
4. Works well with all php versions > 5.0
21. OWASP
• It can be easily installed on apache 2.2 servers! Its
distributed as a shared object file!
• Easy to configure, by modifying fields in httpd.conf
file (Apache’s configuration file)
• Developer doesn’t need to make any changes to its
web applications, so even server administrator can
implement this in their servers.
• Has currently been tested with Linux (Ubuntu) and
OS X only!
24. OWASP 24
Supports AJAX & dynamic forms 2
• We also have custom wrappers in JS that ensures that our injected token
doesn’t creates any conflict when developer designed logic for form validation
functions!
• We support the old attachEvent() & ActiveObject() methods that exist in IE (
<= 6.0)
25. OWASP 25
Supports GET requests! 3
We use these type of regex rules to match urls at time of validation & pass it on to
JavaScript code so that it knows what all requests to attach tokens with!
Its stored in configuration!
27. OWASP
Roadmaps?
Apache 2.2 module that works with windows
system!
Automated testing (Continuous Integration) for
Apache module!
Support for legitimate cross-domain requests!
27