csrf protector

19
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org CSRF Protector a newer approach for mitigating CSRF 15.03.15

Upload: minhaz-av

Post on 21-Jul-2015

150 views

Category:

Software


6 download

TRANSCRIPT

Copyright © The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

CSRF Protectora newer approach for mitigating CSRF

15.03.15

OWASP

OWASP: Open Web Application Security Projects

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organisation focused on improving the security of software. Our mission is to make software security visible, so that individuals and organisations worldwide can make informed decisions about true software security risks.

OWASP

sh-3.5: whoami

Student - Computer Engineering - 6th Semester

Google Summer of Code 2014 - with OWASP

Wrote few lines of codes for OWASP Foundation, Mozilla Foundation & Phpmyadmin project.

Developer, Todo CI (todo-ci.org)

Super excited about - browser plugins, information security, javascript, FOSSASIA, Maths, Trigonometry?

OWASP

So what’s CSRF?

OWASP

fact#0: HTTP is stateless protocol, so we generally use cookies for maintaining states,and authenticating/validating users.

fact#1: Whenever a request originates from a browser (client) to server, all cookies associated with the server are sent along with the request, irrespective ofthe origin of request.

So if the attacker can somehow send a request with cookies to server and tend to perform something, that usually needs authentication, attacker will succeed. This is bad, and this is CSRF.

CSRF: Cross Site Request Forgery(Often pronounced See-Surf)

OWASP

Time for demo

or we’ll have

OWASP

Other possibilities:

If there is CSRF vulnerability in admin panel of a website, whole website can be compromised!

Hijacking primary DNS server setting of your router! -> phishing, mitm etc.!

…Add more!

Want to see it work? Visit superlogout.com

Read More at OWASP CSRF Cheat Sheets, Just Google it!

OWASP

So What does the CSRFP have for

you?

OWASP

CSRF Protector Project

A new anti-CSRF method to protect web applications! It has two parts for now:

A standalone php

library

An Apache 2.x.x

module

OWASP

OWASP

Easy to work with or Integrate 1

OWASP

Laravel php framework

Wordpress plugins

OWASP

While for CSRF Protector its

for php library ^^

In case of Apache module, its as simple as install module and restart Apache:

OWASP

Supports AJAX & dynamic forms 2

• We also have custom wrappers in JS that ensures that our injected token doesn’t

creates any conflict when developer designed logic for form validation

functions!

• We support the old attachEvent() & ActiveObject() methods that exist in IE (

<= 6.0)

OWASP

Supports GET requests! 3

We use these type of regex rules to match urls at time of validation & pass it on to

JavaScript code so that it knows what all requests to attach tokens with!

Its stored in configuration!

OWASP

A better option for apps that support plugins

4

For example Wordpress!

It ensures the weblog won’t have to rely on plugin

developer for ensuring security!

OWASP

Roadmaps?

Apache 2.2 module that works with windows system!

an Apache 2.4.x module

Automated testing (Continuous Integration) for Apache module!

Support for legitimate cross-domain requests!

OWASP

CSRF Protector Project

Project Leader

Abbas Naderi

Primary Contributor

<— — — — — — — That’s me!

Project Mentors

Kevin W. Wall & Jim Manico

Other Contributors

Abhinav Dahiya

Based on paper: automatic CSRF protection for Web 2.0 applications by R. Sekar & Riccardo Pelizzi

OWASP

Project Wiki: https://owasp.org/index.php/CSRFProtector_Project

[email protected]

github: mebjastwitter: minhazav

Feedbacks? Questions?

Want to learn / Discuss design of the library - talk to me!