Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP CSRF Protector

Minhaz

3rd year, Computer Engineering

Delhi Technological University

minhaz@owasp.org20.09.14

OWASP

What all I’ll cover?

Very brief introduction of CSRF

Introduction: CSRF Protector Project

Software Design

Brief introduction on implementation & final products

Salient Features

Roadmaps & Plans

Feedbacks & Questions

2

OWASP 3

So what’s CSRF? SKIP

OWASP 4

Nice Server

http://www.bestbank.com

Admin

********

BestBank Login Page

Login

Forgot Password?

Protected by 128 bit encryption

…..Request URL: http://www.bestbank.com/…..…..Form Data: username=Admin&password=Password…..

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0Connection:Keep-Alive

…Set-Cookie:SESSID=hhiksdh234; expires=Wed, 10-Sep-2014 20:32:50 GMT

Cross Site Request Forgery

OWASP

Nice Server

http://www.bestbank.com

Welcome AdminMoney TransferBestBank.com

OWASP

Nice Server

http://www.bestbank.com/moneytransfer.php

Welcome AdminBestBank Money Transfer

10002

Transfer

Receiver's Account No

Request URL: http://www.bestbank.com/secure/transfer.php……Form Data: accountno=10002&amount=100000…..Content-Length:49Content-Type:application/x-www-form-urlencoded

Cookie:SESSID=hhiksdh23

1,00,000Amount

OWASP

Evil Server

http://www.evil.com

Evil Contents are always nice!!

Request URL: http://www.bestbank.com/secure/transfer.php……Form Data: accountno=1337&amount=100000…..Content-Length:49Content-Type:application/x-www-form-urlencoded

Cookie:SESSID=hhiksdh23

OWASP

Nice Server

http://www.bestbank.com/summary/

Welcome AdminBestBank Transactions

Sl No Account No Amount Date Balance

1 10002 INR 100000 10.09.14 INR 1500000

2 1337 INR 100000 11.09.14 INR 1400000

OWASP

Other possibilities:

If there is CSRF vulnerability in admin panel of a website, whole website can be compromised!

Hijacking primary DNS server setting of your router! -> phishing, mitm etc.!

…Add more!

Want to see it work? Visit superlogout.com

Read More at OWASP CSRF Cheat Sheets, Just Google it! 9

OWASP

CSRF Protector Project

Project Leader

Abbas Naderi

Primary Contributor

that’s me!

Project Mentors

Kevin W. Wall & Jim Manico

Other Contributors

Abhinav Dahiya

10

OWASP

CSRF Protector Project

11

A new anti-CSRF method to protect web applications! It has two parts for now:

A standalone php

library

An Apache 2.x.x

module

OWASP

OWASP

……

web application logic…

Server Side Interceptor / Input Filter

Output Filter

Request from client

Response to client

OWASP

Has token in cookie

(C)

Has token in request

(T)

C == T

Allow the request, Generate another Pseudo Random

token & send it back to client!

Take Action as per configuration:

• Send back a 403• Send back a 404• Show a custom error message• Redirect user to a custom URL• Strip all request arguments

and allow the request

Yes

Yes

Yes

No

No No

BACKServer Side Interceptor / Input Filter

OWASP

Output Filter

• Works on Regular Expression based matching!

• It injects a JavaScript code just after the closing </body> tag when there is an

HTML output.

• Our Normal versions also injects a <noscript> tag and a message inside it,

asking user to enable JavaScript if not already done! We also have a version that

works without JavaScript in case of php library

OWASP

The JavaScript's job

It does the primary job!

The JavaScript code running on client’s machine ensure that, for each request that needs CSRF validation a token is attached to it at the point of dispatch!

So, tokens are attached with every POST request and certain GET requests (allowed by rules in configuration) originating from the browser! Something which attacker cannot craft!

16

OWASP

OWASP

Correctness of the design

Scripts running on attacker’s website cannot retrieve token from other websites, because of Same Origin Policy of browsers!

Attacker cannot use his token to authenticate requests in other websites.

Attacker cannot guess tokens based on ones he has as each time a new pseudo random token is generated for each request (& each user). And PRNG in reseeded after every 10000 requests!

18

OWASP

OWASP 20

Standalone library for CSRF Mitigation in php based

applications. Can be easily integrated with existing web

applications or can be used while developing new ones.

Features:

1. Highly customisable!

2. Supports POST / GET requests!

3. Easy to alter according to your needs!

4. Works well with all php versions > 5.0

OWASP

• It can be easily installed on apache 2.2 servers! Its

distributed as a shared object file!

• Easy to configure, by modifying fields in httpd.conf

file (Apache’s configuration file)

• Developer doesn’t need to make any changes to its

web applications, so even server administrator can

implement this in their servers.

• Has currently been tested with Linux (Ubuntu) and

OS X only!

OWASP 22

OWASP 23

Easy to work with or Integrate 1

OWASP 24

Supports AJAX & dynamic forms 2

• We also have custom wrappers in JS that ensures that our injected token

doesn’t creates any conflict when developer designed logic for form validation

functions!

• We support the old attachEvent() & ActiveObject() methods that exist in IE (

<= 6.0)

OWASP 25

Supports GET requests! 3

We use these type of regex rules to match urls at time of validation & pass it on to

JavaScript code so that it knows what all requests to attach tokens with!

Its stored in configuration!

OWASP

A better option for apps that support plugins

4

For example wordpress!

OWASP

Roadmaps?

Apache 2.2 module that works with windows system!

Automated testing (Continuous Integration) for Apache module!

Support for legitimate cross-domain requests!

27

OWASP

https://owasp.org/index.php/CSRFProtector_Project