OWASP - User contributions [en]

CSRF Protector php library

2018-03-15T22:16:06Z

A V Minhaz: /* Current Status */

<h2>CSRF Protector php library - Standalone php library for mitigating CSRF vulnerability</h2>

==What is CSRF Protector php library==
Its a standalone php library for mitigating Cross Site Request Forgery (CSRF) vulnerabilities in web applications, which can be used with any existing web application or while developing a new one. [https://github.com/mebjas/CSRF-Protector-PHP/wiki More information available at github wiki]

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms

==Damages Mitigated==
* Cross Site Request Forgery

==How to contribute==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

==Current Status==
Version 1.0.0 Released!

==TODOs==
All todos for CSRF Protector PHP are listed at: [http://www.todofy.org/r/mebjas/CSRF-Protector-PHP todofy - CSRF Protector PHP]

==Download Now==
[https://github.com/mebjas/CSRF-Protector-PHP/releases - CSRFP php master code]

CSRF Protector php library

2018-03-15T22:15:51Z

A V Minhaz: updated download link

<h2>CSRF Protector php library - Standalone php library for mitigating CSRF vulnerability</h2>

==What is CSRF Protector php library==
Its a standalone php library for mitigating Cross Site Request Forgery (CSRF) vulnerabilities in web applications, which can be used with any existing web application or while developing a new one. [https://github.com/mebjas/CSRF-Protector-PHP/wiki More information available at github wiki]

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms

==Damages Mitigated==
* Cross Site Request Forgery

==How to contribute==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

==Current Status==
Version 0.1.0 Released!

==TODOs==
All todos for CSRF Protector PHP are listed at: [http://www.todofy.org/r/mebjas/CSRF-Protector-PHP todofy - CSRF Protector PHP]

==Download Now==
[https://github.com/mebjas/CSRF-Protector-PHP/releases - CSRFP php master code]

CSRFProtector Project

2018-03-15T22:12:49Z

A V Minhaz: Updated download link and text

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
 
Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]

==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

*[[User:A_V_Minhaz|Minhaz]]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Abbas Naderi|Abbas Naderi]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module] 
[https://todofy.org/r/mebjas/CSRF-Protector-PHP Todofy - php library] 
[https://todofy.org/r/mebjas/mod_csrfprotector Todofy - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |

== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases CSRFProtector PHP]

== Quick Links ==
- [http://www.slideshare.net/MinhazAv/csrf-protector SlideShare Deck]

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]

GSOC2018 Ideas

2018-01-11T19:45:58Z

A V Minhaz: Added CSRF Protector Project Proposal

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]'''
'''* Read the [[GSoC SAT]] '''
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/OWASP github organization]
==OWASP ZAP==
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.
===Zest Text Representation and Parser===
'''Brief Explanation:'''

Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.

A standardized text representation and parser would be very useful and help its adoption.

'''Expected Results:'''
* A documented definition of a text representation for Zest
* A parser that converts the text representation into a working Zest script
* An option in the Zest java implementation to output Zest scripts text format

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
'''Brief Explanation:'''

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

'''Expected Results:'''
* A new feature that makes ZAP even better
* Code that conforms to our Development Rules and Guidelines

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

== SAMPLE: OWASP Hackademic Challenges ==

[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2016 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]

=== REST API for the sandbox ===

'''Brief Explanation:'''

During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances.
What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.

Ideas on the project:
Since the sandbox is written in python, you will be using Django to implement the api.
The endpoint authorization can be done via certificates or plain signature or username/password type authentication. We would like to see what's your idea on the matter.
However the communication between the two has to be over a secure channel.

'''Expected Results:'''
* A REST style api which allows an authenticated remote entity control the parts of the sandbox engine it has access to.
* PEP8 compliant code
* Acceptable unit test coverage

''' Getting started: '''
Since this has been a popular project here's a suggestion on how to get started.
* Check the excellent work done by mebjas and a0xnirudh in their respective brances in the project's repository
* Take a brief look at the code and try to get a feeling of the functionality included. (Essentially it's CRUD operations on vms or containers)
* Read on what Docker and Vagrant are and take a look at their respective py-libraries
* If you think that contributing helps perhaps it would be a good idea to start with lettuce tests on the current CRUD operations of the existing functionality(which won't change and can eventually be ported to the final project)

'''Knowledge Prerequisites:'''
Python, test driven development, some idea what REST is, some security knowledge would be preferable.

'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

=== New CMS ===

'''Brief Explanation:'''

The CMS part of the project is really old and has accumulated a significant amount of technical debt.
In addition many design decisions are either outdated or could be improved.
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.
The new cms can be written in python using Django.

'''Expected Results:'''
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.
* REST endpoints in addition to classic ones
* tests covering all routes implemented, also complete ACL unit tests, it would be embarassing if a cms by OWASP has rights vulnerabilities.
* PEP 8 code

''' Note: '''
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.
If you decide to take on this project contact us and we can agree on a list of routes.
If you don't decide to take on this project contact us.
Generally contact us, we like it when students have insightful questions and the community is active

''' Getting Started: '''
* Install and take a brief look around the old cms so you have an idea of the functionality needed
* It's ok to scream in frustration
* If you want to contribute to get a feeling of the platform a good idea would be lettuce tests for the current functionality (which won't change and you can port in the new cms eventually)

'''Knowledge Prerequisites:'''
Python, Django, what REST is, the technologies used, some security knowledge would be nice.

'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

==OWASP Security Knowledge Framework==
===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding
===Your idea / Getting started===
*Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)
===Expected Results===
*Adding features to SKF project
**https://github.com/blabla1337/skf-flask/issues/369
**https://github.com/blabla1337/skf-flask/issues/367
**https://github.com/blabla1337/skf-flask/issues/68
**https://github.com/blabla1337/skf-flask/issues/95
*Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
*Adding/updating knowledge base items
*Adding CWE references to knowledgebase items
**https://github.com/blabla1337/skf-flask/issues/35
*Improve unit testing of the Angular quality, currently only 68% of the front-end is unit tested automated
**https://github.com/blabla1337/skf-flask/issues/352
===Knowledge Prerequisites===
*For helping in the development of new features and functions you need Python flask and for the frond-end we use Angular 4.0
*For writing knowledgebase items only technical knowledge of application security is required
*For writing / updating code examples you need to know a programming language along with secure development.
*For writing the verification guide you need some penetration testing experience.
'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

==OWASP Nettacker==
===Brief Explanation===
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.

if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).

===Getting started===

* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.

'''A Better Penetration Testing Automated Framework'''

===Expected Results===
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.

===Knowledge Prerequisites===

* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.
* Good knowledge of computer security (and penetration testing)
* Knowledge of OS (Linux, Windows, Mac...) and Services
* Familiar with IDS/IPS/Firewalls and ...
* To develop the API you should be familiar with HTTP, Database...

===Mentors===
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2018 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Frontend Tech/Design Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well. Furthermore, the OWASP Juice Shop could greatly benefit from involvement of someone with UI/UX Design expertise. Individual product images would be lovely, too.

'''Expected Results:'''
* High-level target client-architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.
* Iterative and incremental redesign of the UI/UX as well as the product image catalog

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, testing and building
* Additional web and/or graphic design experience would be highly welcome

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

==OWASP OWTF==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.
===OWASP OWTF - MiTM proxy interception and replay capabilities===
'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible
*ability to intercept the transactions
*modify or replay transaction on the fly
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code
Bonus:
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
*Create a browser instance and do the necessary login procedure
*Handle the browser for the URI
*When called to close the browser, do a clean logout and kill the browser instance.
'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - Web interface enhancements===
'''Brief explanation:'''

The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - New plugin architecture===
'''Brief explanation:'''

The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.

This issue is documented in detail at https://github.com/owtf/owtf/issues/905.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation

== OWASP CSRF Protector ==
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form.
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===
'''Brief explanation:'''

The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.

Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;

The goal of this project would be to:
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues]
'''Expected results:'''
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)

'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]

User:A V Minhaz

2017-04-14T10:45:36Z

A V Minhaz: added one line

==Contribution==
I'm OWASP Contributor, GSOC Intern ([https://www.owasp.org/index.php/CSRFProtector_Project - CSRF Protector Project]) in the year 2014.
I'm actively maintaining the project currently.

I'm from India, a security enthusiast who want to keep the web a safer place.

I have been working with OWASP since Aug '13, I have worked on following projects :
* [https://www.owasp.org/index.php/OWASP_PHP_Security_Project OWASP PHPSEC]
* [https://www.owasp.org/index.php/CSRFProtector_Project OWASP CSRF Protector Project, GSOC 14]
* [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project, Summer Code Sprint 2015]
* ...

==Personal==
Github: http://github.com/mebjas 
LinkedIn: https://in.linkedin.com/in/minhazav 
Twitter: https://twitter.com/minhazav

==Other Open Source Related Works==
[http://www.todo-ci.org Todofy - Manage Todos in your projects] 
[https://chrome.google.com/webstore/detail/facebook-chat-customiser/cfdnmijlibfnjggfeipmjhkbieegjhbd Facebook Chat Customiser Chrome Extension]

==Contact==

minhaz@owasp.org[mailto:minhaz@owasp.org] 
minhazav@gmail.com[mailto:minhazav@gmail.com] 
Blog: http://blog.minhazav.xyz

CSRFProtector Project

2017-04-14T10:44:34Z

A V Minhaz: Added contributors

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
 
Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]

==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

*[[User:A_V_Minhaz|Minhaz]]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Abbas Naderi|Abbas Naderi]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module] 
[https://todofy.org/r/mebjas/CSRF-Protector-PHP Todofy - php library] 
[https://todofy.org/r/mebjas/mod_csrfprotector Todofy - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |

== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.2.1 CSRFProtector PHP v0.2.1]

== Quick Links ==
- [http://www.slideshare.net/MinhazAv/csrf-protector SlideShare Deck]

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]

CSRFProtector Project

2017-03-29T19:29:41Z

A V Minhaz: added slideshare deck

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
 
Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]

==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

*[[User:A_V_Minhaz|Minhaz]]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module] 
[https://todofy.org/r/mebjas/CSRF-Protector-PHP Todofy - php library] 
[https://todofy.org/r/mebjas/mod_csrfprotector Todofy - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |

== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.2.1 CSRFProtector PHP v0.2.1]

== Quick Links ==
- [http://www.slideshare.net/MinhazAv/csrf-protector SlideShare Deck]

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

CSRFProtector Project

2017-02-16T15:46:30Z

A V Minhaz: /* Project leader */

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
 
Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]

==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

*[[User:A_V_Minhaz|Minhaz]]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module] 
[https://todofy.org/r/mebjas/CSRF-Protector-PHP Todofy - php library] 
[https://todofy.org/r/mebjas/mod_csrfprotector Todofy - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |

== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.2.1 CSRFProtector PHP v0.2.1]

== Quick Links ==
-

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

CSRFProtector Project

2017-02-16T15:45:17Z

A V Minhaz: /* Quick Download */

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
 
Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]

==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module] 
[https://todofy.org/r/mebjas/CSRF-Protector-PHP Todofy - php library] 
[https://todofy.org/r/mebjas/mod_csrfprotector Todofy - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |

== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.2.1 CSRFProtector PHP v0.2.1]

== Quick Links ==
-

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

CSRFProtector Project

2017-02-16T15:45:02Z

A V Minhaz: /* Quick Download */

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
 
Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]

==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module] 
[https://todofy.org/r/mebjas/CSRF-Protector-PHP Todofy - php library] 
[https://todofy.org/r/mebjas/mod_csrfprotector Todofy - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |

== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.2.1 - CSRFProtector PHP v0.2.1]

== Quick Links ==
-

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

CSRFProtector Project

2017-02-16T15:44:41Z

A V Minhaz: /* Quick Download */

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
 
Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]

==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module] 
[https://todofy.org/r/mebjas/CSRF-Protector-PHP Todofy - php library] 
[https://todofy.org/r/mebjas/mod_csrfprotector Todofy - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |

== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.2.1]

== Quick Links ==
-

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

CSRFProtector Project

2016-08-01T15:01:21Z

A V Minhaz: removed quick links

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
 
Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]

==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module] 
[https://todofy.org/r/mebjas/CSRF-Protector-PHP Todofy - php library] 
[https://todofy.org/r/mebjas/mod_csrfprotector Todofy - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |

== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.1.0 CSRF Protector PHP library]

== Quick Links ==
-

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

User:A V Minhaz

2015-11-30T16:50:56Z

A V Minhaz:

==Contribution==
I'm OWASP Contributor, GSOC Intern ([https://www.owasp.org/index.php/CSRFProtector_Project - CSRF Protector Project]) in the year 2014.
I'm from India, a security enthusiast who want to keep the web a safer place.

I have been working with OWASP since Aug '13, I have worked on following projects :
* [https://www.owasp.org/index.php/OWASP_PHP_Security_Project OWASP PHPSEC]
* [https://www.owasp.org/index.php/CSRFProtector_Project OWASP CSRF Protector Project, GSOC 14]
* [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project, Summer Code Sprint 2015]
* ...

==Personal==
Github: http://github.com/mebjas 
LinkedIn: https://in.linkedin.com/in/minhazav 
Twitter: https://twitter.com/minhazav

==Other Open Source Related Works==
[http://www.todo-ci.org Todofy - Manage Todos in your projects] 
[https://chrome.google.com/webstore/detail/facebook-chat-customiser/cfdnmijlibfnjggfeipmjhkbieegjhbd Facebook Chat Customiser Chrome Extension]

==Contact==

minhaz@owasp.org[mailto:minhaz@owasp.org] 
minhazav@gmail.com[mailto:minhazav@gmail.com] 
Blog: http://blog.minhazav.xyz

CSRFProtector Project

2015-09-06T19:24:51Z

A V Minhaz: link to todofy updated

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
 
Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]

==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module] 
[https://todofy.org/r/mebjas/CSRF-Protector-PHP Todofy - php library] 
[https://todofy.org/r/mebjas/mod_csrfprotector Todofy - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |

== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.1.0 CSRF Protector PHP library]

== Quick Links ==
[http://cistoner.org/minhaz/wp-content/uploads/2014/11/owasp.pptx CSRFProtector.pptx]

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

CSRFProtector Project

2015-08-26T10:18:55Z

A V Minhaz: links to todos added

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
 
Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]

==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module] 
[http://www.todofy.org/r/mebjas/CSRF-Protector-PHP Todofy - php library] 
[http://www.todofy.org/r/mebjas/mod_csrfprotector Todofy - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |

== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.1.0 CSRF Protector PHP library]

== Quick Links ==
[http://cistoner.org/minhaz/wp-content/uploads/2014/11/owasp.pptx CSRFProtector.pptx]

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

Mod csrfprotector

2015-08-26T10:17:04Z

A V Minhaz: info about todos added

<h2>mod_csrfprotector - Apache 2.x.x Modules for mitigating CSRF attacks</h2>

==What is mod_csrfprotector==
Its an Apache 2.x.x Module (Currently 2.2.x) under development. It can be installed and configured in any Apache Server to protect it against Cross Site Request Forgery attacks. mod_csrfprotector provides protection to both POST and GET requests (not enabled by default).

==How mod_csrfprotector works?==
Once installed in Apache Server, every request that is made to the server, and validated against CSRF attacks by the input filters. Input filter follows a protocol as mentioned by developer in configuration, which helps the module to decide weather to validated the request. The input filter checks for appropriate token sent with request. Request if forwarded to other filters or content generator (like php or cgi) in validation is successful. Otherwise, appropriate actions are taken as per configuration. For ex: 403, Forbidden header is send to client.
The Output filter, checks for content type of output generated by content generator and if it is `text/html` or `text/xhtml` it appends javascript code to the output. This js code in client side is responsible for attaching CSRFP_token with every required request sent from client.

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms

==Damages Mitigated==
* Cross Site Request Forgery

==How to contribute==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - mod_csrfprotector]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

==TODOs==
All todos for mod_csrfprotector are listed at: [http://www.todofy.org/r/mebjas/mod_csrfprotector todofy: mod_csrfprotector]

==Current Status==
Under Development

CSRF Protector php library

2015-08-26T10:15:32Z

A V Minhaz: added links to todos

<h2>CSRF Protector php library - Standalone php library for mitigating CSRF vulnerability</h2>

==What is CSRF Protector php library==
Its a standalone php library for mitigating Cross Site Request Forgery (CSRF) vulnerabilities in web applications, which can be used with any existing web application or while developing a new one. [https://github.com/mebjas/CSRF-Protector-PHP/wiki More information available at github wiki]

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms

==Damages Mitigated==
* Cross Site Request Forgery

==How to contribute==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

==Current Status==
Version 0.1.0 Released!

==TODOs==
All todos for CSRF Protector PHP are listed at: [http://www.todofy.org/r/mebjas/CSRF-Protector-PHP todofy - CSRF Protector PHP]

==Download Now==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/download/v0.1.0/csrfp.-php-library.zip - CSRFP php master code] 
[https://github.com/mebjas/CSRF-Protector-PHP/releases/download/v0.1.0/csrfp-php-library-nojs.zip - CSRFP php with nojs support]

User:A V Minhaz

2015-08-15T12:44:30Z

A V Minhaz:

==Contribution==
I'm OWASP Contributor, GSOC Intern ([https://www.owasp.org/index.php/CSRFProtector_Project - CSRF Protector Project]) in the year 2014.
I'm from India, a security enthusiast who want to keep the web a safer place.

I have been working with OWASP since Aug '13, I have worked on following projects :
* [https://www.owasp.org/index.php/OWASP_PHP_Security_Project OWASP PHPSEC]
* [https://www.owasp.org/index.php/CSRFProtector_Project OWASP CSRF Protector Project, GSOC 14]
* [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project, Summer Code Sprint 2015]
* ...

==Personal==
Github: http://github.com/mebjas 
LinkedIn: https://in.linkedin.com/in/minhazav 
Twitter: https://twitter.com/minhazav

==Other Open Source Related Works==
[http://www.todo-ci.org Todo CI - Manage Todos in your projects] 
[https://chrome.google.com/webstore/detail/facebook-chat-customiser/cfdnmijlibfnjggfeipmjhkbieegjhbd Facebook Chat Customiser Chrome Extension]

==Contact==

minhaz@owasp.org[mailto:minhaz@owasp.org] 
minhazav@gmail.com[mailto:minhazav@gmail.com] 
Blog: http://cistoner.org/minhaz

User:A V Minhaz

2015-04-30T13:23:23Z

A V Minhaz:

==Contribution==
I'm OWASP Contributor, GSOC Intern ([https://www.owasp.org/index.php/CSRFProtector_Project - CSRF Protector Project]) in the year 2014.
I'm from India, a security enthusiast who want to keep the web a safer place.

I have been working with OWASP since Aug '13, I have worked on following projects :
* [https://www.owasp.org/index.php/OWASP_PHP_Security_Project OWASP PHPSEC]
* [https://www.owasp.org/index.php/CSRFProtector_Project OWASP CSRF Protector Project, GSOC 14]
* ...

==Personal==
Github: http://github.com/mebjas 
LinkedIn: https://in.linkedin.com/in/minhazav 
Twitter: https://twitter.com/minhazav

==Other Open Source Related Works==
[http://www.todo-ci.org Todo CI - Manage Todos in your projects] 
[https://chrome.google.com/webstore/detail/facebook-chat-customiser/cfdnmijlibfnjggfeipmjhkbieegjhbd Facebook Chat Customiser Chrome Extension]

==Contact==

minhaz@owasp.org[mailto:minhaz@owasp.org] 
minhazav@gmail.com[mailto:minhazav@gmail.com] 
Blog: http://cistoner.org/minhaz

User:A V Minhaz

2015-04-30T13:18:14Z

A V Minhaz: /* Contact */

CSRFProtector Project

2015-04-21T16:52:48Z

A V Minhaz: reference added

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
 
Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]

==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |
== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.1.0 CSRF Protector PHP library]

== Quick Links ==
[http://cistoner.org/minhaz/wp-content/uploads/2014/11/owasp.pptx CSRFProtector.pptx]

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

CSRFProtector Project

2014-12-13T18:37:05Z

A V Minhaz: /* Quick Links */

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |
== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.1.0 CSRF Protector PHP library]

== Quick Links ==
[http://cistoner.org/minhaz/wp-content/uploads/2014/11/owasp.pptx CSRFProtector.pptx]

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

Cross-Site Request Forgery (CSRF)

2014-12-13T18:31:05Z

A V Minhaz: /* How to Prevent CSRF Vulnerabilities */

{{Template:Attack}}

[[Category:OWASP ASDR Project]]
 

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Overview==
Cross-Site Request Forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transfering funds, changing their email address, etc. If the victim is an administrative account, CSRF can compromise the entire web application.

==Related Security Activities==

===How to Review Code for CSRF Vulnerabilities===

See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing code for Cross-Site Request Forgery issues |Reviewing code for CSRF]] Vulnerabilities.

===How to Test for CSRF Vulnerabilities===

See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]] Vulnerabilities.

===How to Prevent CSRF Vulnerabilities===

See the [http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet] for prevention measures.

Listen to the [http://www.owasp.org/download/jmanico/owasp_podcast_69.mp3 OWASP Top Ten CSRF Podcast].

Most frameworks have built-in CSRF support such as [http://docs.joomla.org/How_to_add_CSRF_anti-spoofing_to_forms Joomla], [http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html Spring], [http://web.securityinnovation.com/appsec-weekly/blog/bid/84318/Cross-Site-Request-Forgery-CSRF-Prevention-Using-Struts-2 Struts], [http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf Ruby on Rails], [http://www.troyhunt.com/2010/11/owasp-top-10-for-net-developers-part-5.html .NET] and others.

Use [[:Category:OWASP_CSRFGuard_Project|OWASP CSRF Guard]] to add CSRF protection to your Java applications. You can use [[CSRFProtector Project]] to protect your php applications or any project deployed using Apache Server . There is a [[.Net CSRF Guard]] at OWASP as well, but its old and doesn't look complete.

John Melton also has an [http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross-site-request-forgery-csrf/ excellent blog post] describing how to use the native anti-CSRF functionality of the [http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI].

==Description==
CSRF is an attack that tricks the victim into submitting a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, Windows domain credentials, etc. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish the forged request sent by the victim from a legitimate request sent by the victim.

CSRF attacks target functionality that causes a state change on the server, such as change the victim's e-mail address, home address, password, or purchase something. Forcing the victim to retrieve data doesn't benefit an attacker because the attacker doesn't receive the response, the victim does. As such, CSRF attacks target state-changing requests.

Sometimes, it is possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.

Synonyms: CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, and Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation.

===Prevention measures that do '''NOT''' work===
;Using a secret cookie
:Remember that all cookies, even the ''secret'' ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request.

;Only accepting POST requests
:Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious POST request, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted on the attacker's website comprised entirely of hidden fields. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else.


==Examples==

===How does the attack work?===
There are numerous ways in which an end-user can be tricked into loading information from or submitting information to a web application. In order to execute an attack, we must first understand how to generate a valid malicious request for our victim to execute. Let us consider the following example: Alice wishes to transfer $100 to Bob using the ''bank.com'' web application that is vulnerable to CSRF. Maria, an attacker, wants to trick Alice to send the money to her instead. The attack will comprise the following steps:

* building an exploit URL or script,
* tricking Alice into executing the action with [[Social Engineering]]

====GET scenario====
If the application was designed to primarily use GET requests to transfer parameters and execute actions, the money transfer operation might be reduced to a request like:

GET <nowiki>http://bank.com/transfer.do?acct=BOB&amount=100</nowiki> HTTP/1.1

Maria now decides to exploit this web application vulnerability using Alice as her victim. Maria first constructs the following exploit URL which will transfer $100,000 from Alice's account to her account. She takes the original command URL and replaces the beneficiary name with herself, raising the transfer amount significantly at the same time:

<nowiki>http://bank.com/transfer.do?acct=MARIA&amount=100000</nowiki>

The [[Social Engineering]] part of the attack will trick Alice to load this URL when she's logged into the bank application. This is usually done with one of the following techniques:

* sending an unsolicited email with HTML content
* planting an exploit URL or script on pages that are likely to be visited by the victim while they are also doing online banking.

The exploit URL can be disguised either as an ordinary link, encouraging the victim to click it:

<nowiki><a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a></nowiki>

Or by a 0x0 fake image:

<nowiki><img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="0" height="0" border="0"></nowiki>

If this image tag were included in the email, Alice wouldn't see anything. However, the browser ''will still'' submit the request to bank.com without any visual indication that the transfer has taken place.

A real life example of CSRF attack on an application using GET was [http://xs-sniper.com/blog/2008/04/21/csrf-pwns-your-box/ uTorrent exploit] from 2008 that was used on a mass scale to download malware.

====POST scenario====
The only difference when POST requests are being used is how the attack is being executed by the victim. Let's assume the bank now uses POST and the vulnerable request looks like this:

POST <nowiki>http://bank.com/transfer.do</nowiki> HTTP/1.1

acct=BOB&amount=100

Such a request cannot be delivered using standard A or IMG tags, but can be delivered using a FORM tag:

<form action="<nowiki>http://bank.com/transfer.do</nowiki>" method="POST">
<input type="hidden" name="acct" value="MARIA"/>
<input type="hidden" name=amount" value="100000"/>
<input type="submit" value="View my pictures"/>
</form>

This form will require the user to click on the submit button, but this can be also executed automatically using JavaScript:

<body onload="document.forms[0].submit()">
<form...

====Other HTTP methods====
Modern web application APIs are frequently using other HTTP methods such as PUT or DELETE. Let's assume the vulnerable bank uses PUT method that takes a JSON block as an argument:

PUT <nowiki>http://bank.com/transfer.do</nowiki> HTTP/1.1

{"acct":"BOB", "amount":100}

Such requests can be executed with JavaScript embedded into an exploit page:

<script>
function put() {
var x = new XMLHttpRequest();
x.open("PUT","<nowiki>http://bank.com/transfer.do</nowiki>",true);
x.setRequestHeader("Content-Type", "application/json");
x.send(JSON.stringify('{"acct":"BOB", "amount":100}'));
}
</script>
<body onload="put()">

Fortunately, this request will '''not''' be executed by modern web browsers thanks to [[Same-Origin Policy]] restrictions. This restriction is enabled by default unless the target web site explicitly opens up Cross Origin Requests from the attacker's (or everyone's) origin by using [[HTML5 Security Cheat Sheet#Cross_Origin_Resource_Sharing|CORS]] with the following header:

Access-Control-Allow-Origin: *


==Related [[Attacks]]==
* [[Cross-site Scripting (XSS)]]
* [[Cross Site History Manipulation (XSHM)]]


==Related [[Controls]]==
* Add a per-request nonce to URL and all forms in addition to the standard session. This is also referred to as "form keys". Many frameworks (ex, Drupal.org 4.7.4+) either have or are starting to include this type of protection "built-in" to every form so the programmer does not need to code this protection manually.
* Add a per-session nonce to all forms
* Add a hash(session id, function name, server-side secret) to all forms
* .NET - add session identifier to ViewState with MAC (Described in detail in: [[Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Viewstate_(ASP.NET) | the CSRF Prevention Cheat Sheet]])
* Checking the referer header in the client's HTTP request can prevent CSRF attacks. By ensuring the HTTP request have come from the original site means that the attacks from other sites will not function. It is very common to see referer header checks used on embedded network hardware due to memory limitations. XSS can be used to bypass both referer and token based checks simultaneously. For instance the Sammy Worm used an XHR to obtain the CSRF token to forge requests.
* "Although CSRF is fundamentally a problem with the web application, not the user, users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session." -http://en.wikipedia.org/wiki/Cross-site_request_forgery#_note-1
* [[Tokenizing]]

==References==
* [http://www.cgisecurity.com/articles/csrf-faq.shtml The Cross-Site Request Forgery (CSRF/XSRF) FAQ]
: ''quote: "This paper serves as a living document for Cross-Site Request Forgery issues. This document will serve as a repository of information from existing papers, talks, and mailing list postings and will be updated as new information is discovered."''

* [[Testing for CSRF (OWASP-SM-005)|Testing for CSRF]]
: CSRF (aka Session riding) paper from the OWASP Testing Guide project (need to integrate)

* [http://www.darkreading.com/document.asp?doc_id=107651&WT.svl=news1_2 CSRF Vulnerability: A 'Sleeping Giant']
: Overview Paper

* [http://www.owasp.org/index.php/Image:RequestRodeo-MartinJohns.pdf Client Side Protection against Session Riding]
: Martin Johns and Justus Winter's interesting paper and presentation for the 4th OWASP AppSec Conference which described potential techniques that browsers could adopt to automatically provide CSRF protection - [http://www.owasp.org/index.php/Image:RequestRodeo-MartinJohns.pdf PDF paper]

* [[:Category:OWASP_CSRFGuard_Project|OWASP CSRF Guard]]
: J2EE, .NET, and PHP Filters which append a unique request token to each form and link in the HTML response in order to provide universal coverage against CSRF throughout your entire application.

* [http://owasp.org/index.php/CSRFProtector_Project OWASP CSRF Protector]
: a new anti CSRF method to mitigate CSRF in web applications. Currently implemented as a php library & Apache 2.x.x module

* [http://yehg.net/lab/pr0js/view.php/A_Most-Neglected_Fact_About_CSRF.pdf A Most-Neglected Fact About Cross Site Request Forgery (CSRF) ]
: Aung Khant, http://yehg.net, explained the danger and impact of CSRF with imperiling scenarios.

* [[:Category:OWASP CSRFTester Project|OWASP CSRF Tester]]
: The OWASP CSRFTester gives developers the ability to test their applications for CSRF flaws.

* [http://code.google.com/p/pinata-csrf-tool/ Pinata-CSRF-Tool: CSRF POC tool]
: Pinata makes it easy to create Proof of Concept CSRF pages. Assists in Application Vulnerability Assessment.

[[Category:Exploitation of Authentication]]
[[Category:Embedded Malicious Code]]
[[Category:Spoofing]]
[[Category: Attack]]

CSRFProtector Project

2014-11-17T05:51:04Z

A V Minhaz:

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |
== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.1.0 CSRF Protector PHP library]

== Quick Links ==
[http://cistoner.org/minhaz/wp-content/uploads/2014/11/owasp.key CSRFProtector.key] 
[http://cistoner.org/minhaz/wp-content/uploads/2014/11/owasp.pptx CSRFProtector.pptx]
== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

OWASP Code Kids 2015 Ideas

2014-11-08T08:32:23Z

A V Minhaz: /* Task 3: Porting CSRF Protector PHP Wiki (from Github) to OWASP Wiki */

=Task Categories=

The tasks are grouped into the categories described below. '''Please make sure each task is assigned a category.'''

'''Code:''' Tasks related to writing or refactoring code.

'''Documentation/Training:''' Tasks related to creating/editing documents and helping others learn more

'''Outreach/Research:''' Tasks related to community management, outreach/marketing, or studying problems and recommending solutions

'''Quality Assurance:''' Tasks related to testing and ensuring code is of high quality

'''User Interface:''' Tasks related to user experience research or user interface design and interaction

== OWASP ZAP ==

=== OWASP ZAP Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP OWTF ==

=== OWASP OWTF Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP WIKI ==

=== Task 1: Latam Tour 2015 logo ===

'''Brief Explanation:'''

Design a new logo for the Latam Tour 2015. The logo must resemble previous editions of the Tour and represent the Latin America region. It would be better if the new logo is based on the OWASP logo. As a reference, here is the Latam Tour 2014 Logo:

https://www.owasp.org/images/f/f3/OWASP_Latam_Tour_Logo_2014.png

'''Task Category:'''

Design

'''Expected Results:'''

Latam Tour 2015 logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Fabio Cerullo

== OWASP WebGoatPHP ==

=== Task 1: Implement "remember me" feature ===

'''Brief Explanation:'''

Implement a secure "Remember me" feature in user login form using cookies. At present the remember me check box is present in the form but it does nothing.

'''Task Category:'''

Code

'''Expected Results:'''

If user checks the "remember me" check box when logging in, then the user will not be required to login every time he visits the application within X days.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/45

'''Code:'''

app/control/user/login.php

'''Mentors:''' Shivam Dixit

=== Task 2: Make workshop mode dashboard responsive ===

'''Brief Explanation:'''

In workshop mode of the application, the side panel of admin dashboard is not responsive i.e it does not fits well in smaller size screen resolutions. If the screen size is small the side panel should shrink into a smaller panel preferably at the bottom of the application.

'''Task Category:'''

Code

'''Expected Results:'''

Panel perfectly adjusts on small screen resolutions.

'''Knowledge Prerequisites:'''

CSS (media queries), HTML

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/26

'''Code:'''

style/dashboard.css

'''Mentors:''' Shivam Dixit

=== Task 3: WebGoatPHP logo ===

'''Brief Explanation:'''

Design a new logo for the application. The logo must resemble various aspects of the application. It would be better if the new logo is based on the OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

WebGoatPHP logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Shivam Dixit

=== Task 4: WebGoatPHP deployment screencast ===

'''Brief Explanation:'''

Deploy the application on the local server without using vagrant and record a screencast of the process. Upload to a video streaming service and comment link on the melange for mentor to review.

'''Task Category:'''

Code

'''Expected Results:'''

The screencast should clearly contain all the steps required for the deployment and how to troubleshoot most common errors in the whole process.

'''Knowledge Prerequisites:'''

Familiarity with an operating system (Linux/Windows)

'''Mentors:''' Shivam Dixit

=== Task 5: Create a SQL injection challenge ===

'''Brief Explanation:'''

Single user mode of WebGoatPHP consist of set of challenges. These challenges simulate various real world security vulnerabilities in web applications. You have to add a challenge under category "Injection Attacks" which simulates a SQL injection vulnerability in single user mode. The input data must be of type string and the challenge should mimic some real world scenario.

'''Task Category:'''

Code

'''Expected Results:'''

A challenge which helps user understand SQLi vulnerability by allowing him to exploit the vulnerability.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://www.owasp.org/index.php/SQL_Injection

https://github.com/shivamdixit/WebGoatPHP/blob/master/README.md#adding-a-lessonchallenge

'''Mentors:''' Shivam Dixit

=== Task 6-20: WebGoatPHP challenges screencast series ===

'''Brief Explanation:'''

In this task you are required to record screencast of how to solve a particular single user mode challenge. The screencast should start by providing an overview of the vulnerability that will be exploited, then step by step instructions on how to exploit the vulnerability. The screencast should conclude on a note that how to avoid this vulnerability in your application. The length of the screencast would vary according to the challenge but it should neither be too long nor too short.

Task - Screencast of challenge.....

Task 6 - HTTP Basic

Task 7 - Using Access Control Matrix

Task 8 - Business Layer Access Control

Task 9 - Path Based Access Control

Task 10 - Same Origin Policy Protection

Task 11 - Forgot Password

Task 12 - Discover clues in HTML

Task 13 - JS Obfuscation

Task 14 - XSS 1 (Reflected)

Task 15 - XSS 2 (Stored)

Task 16 - XSS 3 (DOM)

Task 17 - Fail Open Authentication

Task 18 - Log Spoofing

Task 19 - Numeric SQL Injection

Task 20 - XPATH injection

'''Task Category:'''

Code

'''Expected Results:'''

A screencast explaining the vulnerability involved in a particular challenge.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Shivam Dixit

== OWASP CSRF Protector ==

=== Task 1-2: CSRF Protector logo ===

'''Brief Explanation:'''

Design logos for the for CSRF Protector Project, possibly two versions one for php library and another one for Apache module.
Both of them should resemble OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

OWASP CSRF Protector logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Minhaz

=== Task 3: Porting CSRF Protector PHP Wiki (from Github) to OWASP Wiki ===

'''Brief Explanation:'''

Currently we have wiki on how to use and deploy, at github. The task is to port them to OWASP Wiki as well so that it can be accessed directly.

'''Task Category:'''

Documentation

'''Expected Results:'''

Wiki for CSRF Protector php library in OWASP.ORG .

'''Knowledge Prerequisites:'''

Familiarity with wiki.

'''Reference'''

[https://github.com/mebjas/CSRF-Protector-PHP/wiki Github wiki for CSRF Protector php]

'''Mentors:''' Minhaz

=== Task 4: Porting mod_csrfprotector Wiki (from Github) to OWASP Wiki ===

'''Brief Explanation:'''

Currently we have wiki on how to use and deploy, at github. The task is to port them to OWASP Wiki as well so that it can be accessed directly.

'''Task Category:'''

Documentation

'''Expected Results:'''

Wiki for mod_csrfprotector library in OWASP.ORG .

'''Knowledge Prerequisites:'''

Familiarity with wiki.

'''References'''

[https://github.com/mebjas/mod_csrfprotector/wiki Github wiki for mod_csrfprotector]

'''Mentors:''' Minhaz

=== Task 5-6: Create screencasts on how to deploy both version of CSRF Protector individually ===
'''Brief Explanation:'''

Create two screencasts, one for each, which explains how to deploy CSRF Protector in your existing web application.

'''Task Category:'''

Screencast

'''Expected Results:'''

Screencasts explaining how to use CSRF Protector with existing web applications.

'''Knowledge Prerequisites:'''

Experience with php, HTML, and Apache (for mod_csrfprotector)

'''Mentors:''' Minhaz

OWASP Code Kids 2015 Ideas

2014-11-08T08:32:07Z

A V Minhaz: /* Task 4: Porting mod_csrfprotector Wiki (from Github) to OWASP Wiki */

=Task Categories=

The tasks are grouped into the categories described below. '''Please make sure each task is assigned a category.'''

'''Code:''' Tasks related to writing or refactoring code.

'''Documentation/Training:''' Tasks related to creating/editing documents and helping others learn more

'''Outreach/Research:''' Tasks related to community management, outreach/marketing, or studying problems and recommending solutions

'''Quality Assurance:''' Tasks related to testing and ensuring code is of high quality

'''User Interface:''' Tasks related to user experience research or user interface design and interaction

== OWASP ZAP ==

=== OWASP ZAP Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP OWTF ==

=== OWASP OWTF Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP WIKI ==

=== Task 1: Latam Tour 2015 logo ===

'''Brief Explanation:'''

Design a new logo for the Latam Tour 2015. The logo must resemble previous editions of the Tour and represent the Latin America region. It would be better if the new logo is based on the OWASP logo. As a reference, here is the Latam Tour 2014 Logo:

https://www.owasp.org/images/f/f3/OWASP_Latam_Tour_Logo_2014.png

'''Task Category:'''

Design

'''Expected Results:'''

Latam Tour 2015 logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Fabio Cerullo

== OWASP WebGoatPHP ==

=== Task 1: Implement "remember me" feature ===

'''Brief Explanation:'''

Implement a secure "Remember me" feature in user login form using cookies. At present the remember me check box is present in the form but it does nothing.

'''Task Category:'''

Code

'''Expected Results:'''

If user checks the "remember me" check box when logging in, then the user will not be required to login every time he visits the application within X days.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/45

'''Code:'''

app/control/user/login.php

'''Mentors:''' Shivam Dixit

=== Task 2: Make workshop mode dashboard responsive ===

'''Brief Explanation:'''

In workshop mode of the application, the side panel of admin dashboard is not responsive i.e it does not fits well in smaller size screen resolutions. If the screen size is small the side panel should shrink into a smaller panel preferably at the bottom of the application.

'''Task Category:'''

Code

'''Expected Results:'''

Panel perfectly adjusts on small screen resolutions.

'''Knowledge Prerequisites:'''

CSS (media queries), HTML

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/26

'''Code:'''

style/dashboard.css

'''Mentors:''' Shivam Dixit

=== Task 3: WebGoatPHP logo ===

'''Brief Explanation:'''

Design a new logo for the application. The logo must resemble various aspects of the application. It would be better if the new logo is based on the OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

WebGoatPHP logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Shivam Dixit

=== Task 4: WebGoatPHP deployment screencast ===

'''Brief Explanation:'''

Deploy the application on the local server without using vagrant and record a screencast of the process. Upload to a video streaming service and comment link on the melange for mentor to review.

'''Task Category:'''

Code

'''Expected Results:'''

The screencast should clearly contain all the steps required for the deployment and how to troubleshoot most common errors in the whole process.

'''Knowledge Prerequisites:'''

Familiarity with an operating system (Linux/Windows)

'''Mentors:''' Shivam Dixit

=== Task 5: Create a SQL injection challenge ===

'''Brief Explanation:'''

Single user mode of WebGoatPHP consist of set of challenges. These challenges simulate various real world security vulnerabilities in web applications. You have to add a challenge under category "Injection Attacks" which simulates a SQL injection vulnerability in single user mode. The input data must be of type string and the challenge should mimic some real world scenario.

'''Task Category:'''

Code

'''Expected Results:'''

A challenge which helps user understand SQLi vulnerability by allowing him to exploit the vulnerability.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://www.owasp.org/index.php/SQL_Injection

https://github.com/shivamdixit/WebGoatPHP/blob/master/README.md#adding-a-lessonchallenge

'''Mentors:''' Shivam Dixit

=== Task 6-20: WebGoatPHP challenges screencast series ===

'''Brief Explanation:'''

In this task you are required to record screencast of how to solve a particular single user mode challenge. The screencast should start by providing an overview of the vulnerability that will be exploited, then step by step instructions on how to exploit the vulnerability. The screencast should conclude on a note that how to avoid this vulnerability in your application. The length of the screencast would vary according to the challenge but it should neither be too long nor too short.

Task - Screencast of challenge.....

Task 6 - HTTP Basic

Task 7 - Using Access Control Matrix

Task 8 - Business Layer Access Control

Task 9 - Path Based Access Control

Task 10 - Same Origin Policy Protection

Task 11 - Forgot Password

Task 12 - Discover clues in HTML

Task 13 - JS Obfuscation

Task 14 - XSS 1 (Reflected)

Task 15 - XSS 2 (Stored)

Task 16 - XSS 3 (DOM)

Task 17 - Fail Open Authentication

Task 18 - Log Spoofing

Task 19 - Numeric SQL Injection

Task 20 - XPATH injection

'''Task Category:'''

Code

'''Expected Results:'''

A screencast explaining the vulnerability involved in a particular challenge.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Shivam Dixit

== OWASP CSRF Protector ==

=== Task 1-2: CSRF Protector logo ===

'''Brief Explanation:'''

Design logos for the for CSRF Protector Project, possibly two versions one for php library and another one for Apache module.
Both of them should resemble OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

OWASP CSRF Protector logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Minhaz

=== Task 3: Porting CSRF Protector PHP Wiki (from Github) to OWASP Wiki ===

'''Brief Explanation:'''

Currently we have wiki on how to use and deploy, at github. The task is to port them to OWASP Wiki as well so that it can be accessed directly.

'''Task Category:'''

Documentation

'''Expected Results:'''

Wiki for CSRF Protector php library in OWASP.ORG .

'''Knowledge Prerequisites:'''

Familiarity with wiki.
'''Reference'''
[https://github.com/mebjas/CSRF-Protector-PHP/wiki Github wiki for CSRF Protector php]
'''Mentors:''' Minhaz

=== Task 4: Porting mod_csrfprotector Wiki (from Github) to OWASP Wiki ===

'''Brief Explanation:'''

Currently we have wiki on how to use and deploy, at github. The task is to port them to OWASP Wiki as well so that it can be accessed directly.

'''Task Category:'''

Documentation

'''Expected Results:'''

Wiki for mod_csrfprotector library in OWASP.ORG .

'''Knowledge Prerequisites:'''

Familiarity with wiki.

'''References'''

[https://github.com/mebjas/mod_csrfprotector/wiki Github wiki for mod_csrfprotector]

'''Mentors:''' Minhaz

=== Task 5-6: Create screencasts on how to deploy both version of CSRF Protector individually ===
'''Brief Explanation:'''

Create two screencasts, one for each, which explains how to deploy CSRF Protector in your existing web application.

'''Task Category:'''

Screencast

'''Expected Results:'''

Screencasts explaining how to use CSRF Protector with existing web applications.

'''Knowledge Prerequisites:'''

Experience with php, HTML, and Apache (for mod_csrfprotector)

'''Mentors:''' Minhaz

OWASP Code Kids 2015 Ideas

2014-11-08T08:31:48Z

A V Minhaz: /* Task 5-6: Create screencast on how to deploy both version of CSRF Protector individually */

=Task Categories=

The tasks are grouped into the categories described below. '''Please make sure each task is assigned a category.'''

'''Code:''' Tasks related to writing or refactoring code.

'''Documentation/Training:''' Tasks related to creating/editing documents and helping others learn more

'''Outreach/Research:''' Tasks related to community management, outreach/marketing, or studying problems and recommending solutions

'''Quality Assurance:''' Tasks related to testing and ensuring code is of high quality

'''User Interface:''' Tasks related to user experience research or user interface design and interaction

== OWASP ZAP ==

=== OWASP ZAP Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP OWTF ==

=== OWASP OWTF Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP WIKI ==

=== Task 1: Latam Tour 2015 logo ===

'''Brief Explanation:'''

Design a new logo for the Latam Tour 2015. The logo must resemble previous editions of the Tour and represent the Latin America region. It would be better if the new logo is based on the OWASP logo. As a reference, here is the Latam Tour 2014 Logo:

https://www.owasp.org/images/f/f3/OWASP_Latam_Tour_Logo_2014.png

'''Task Category:'''

Design

'''Expected Results:'''

Latam Tour 2015 logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Fabio Cerullo

== OWASP WebGoatPHP ==

=== Task 1: Implement "remember me" feature ===

'''Brief Explanation:'''

Implement a secure "Remember me" feature in user login form using cookies. At present the remember me check box is present in the form but it does nothing.

'''Task Category:'''

Code

'''Expected Results:'''

If user checks the "remember me" check box when logging in, then the user will not be required to login every time he visits the application within X days.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/45

'''Code:'''

app/control/user/login.php

'''Mentors:''' Shivam Dixit

=== Task 2: Make workshop mode dashboard responsive ===

'''Brief Explanation:'''

In workshop mode of the application, the side panel of admin dashboard is not responsive i.e it does not fits well in smaller size screen resolutions. If the screen size is small the side panel should shrink into a smaller panel preferably at the bottom of the application.

'''Task Category:'''

Code

'''Expected Results:'''

Panel perfectly adjusts on small screen resolutions.

'''Knowledge Prerequisites:'''

CSS (media queries), HTML

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/26

'''Code:'''

style/dashboard.css

'''Mentors:''' Shivam Dixit

=== Task 3: WebGoatPHP logo ===

'''Brief Explanation:'''

Design a new logo for the application. The logo must resemble various aspects of the application. It would be better if the new logo is based on the OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

WebGoatPHP logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Shivam Dixit

=== Task 4: WebGoatPHP deployment screencast ===

'''Brief Explanation:'''

Deploy the application on the local server without using vagrant and record a screencast of the process. Upload to a video streaming service and comment link on the melange for mentor to review.

'''Task Category:'''

Code

'''Expected Results:'''

The screencast should clearly contain all the steps required for the deployment and how to troubleshoot most common errors in the whole process.

'''Knowledge Prerequisites:'''

Familiarity with an operating system (Linux/Windows)

'''Mentors:''' Shivam Dixit

=== Task 5: Create a SQL injection challenge ===

'''Brief Explanation:'''

Single user mode of WebGoatPHP consist of set of challenges. These challenges simulate various real world security vulnerabilities in web applications. You have to add a challenge under category "Injection Attacks" which simulates a SQL injection vulnerability in single user mode. The input data must be of type string and the challenge should mimic some real world scenario.

'''Task Category:'''

Code

'''Expected Results:'''

A challenge which helps user understand SQLi vulnerability by allowing him to exploit the vulnerability.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://www.owasp.org/index.php/SQL_Injection

https://github.com/shivamdixit/WebGoatPHP/blob/master/README.md#adding-a-lessonchallenge

'''Mentors:''' Shivam Dixit

=== Task 6-20: WebGoatPHP challenges screencast series ===

'''Brief Explanation:'''

In this task you are required to record screencast of how to solve a particular single user mode challenge. The screencast should start by providing an overview of the vulnerability that will be exploited, then step by step instructions on how to exploit the vulnerability. The screencast should conclude on a note that how to avoid this vulnerability in your application. The length of the screencast would vary according to the challenge but it should neither be too long nor too short.

Task - Screencast of challenge.....

Task 6 - HTTP Basic

Task 7 - Using Access Control Matrix

Task 8 - Business Layer Access Control

Task 9 - Path Based Access Control

Task 10 - Same Origin Policy Protection

Task 11 - Forgot Password

Task 12 - Discover clues in HTML

Task 13 - JS Obfuscation

Task 14 - XSS 1 (Reflected)

Task 15 - XSS 2 (Stored)

Task 16 - XSS 3 (DOM)

Task 17 - Fail Open Authentication

Task 18 - Log Spoofing

Task 19 - Numeric SQL Injection

Task 20 - XPATH injection

'''Task Category:'''

Code

'''Expected Results:'''

A screencast explaining the vulnerability involved in a particular challenge.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Shivam Dixit

== OWASP CSRF Protector ==

=== Task 1-2: CSRF Protector logo ===

'''Brief Explanation:'''

Design logos for the for CSRF Protector Project, possibly two versions one for php library and another one for Apache module.
Both of them should resemble OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

OWASP CSRF Protector logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Minhaz

=== Task 3: Porting CSRF Protector PHP Wiki (from Github) to OWASP Wiki ===

'''Brief Explanation:'''

Currently we have wiki on how to use and deploy, at github. The task is to port them to OWASP Wiki as well so that it can be accessed directly.

'''Task Category:'''

Documentation

'''Expected Results:'''

Wiki for CSRF Protector php library in OWASP.ORG .

'''Knowledge Prerequisites:'''

Familiarity with wiki.
'''Reference'''
[https://github.com/mebjas/CSRF-Protector-PHP/wiki Github wiki for CSRF Protector php]
'''Mentors:''' Minhaz

=== Task 4: Porting mod_csrfprotector Wiki (from Github) to OWASP Wiki ===

'''Brief Explanation:'''

Currently we have wiki on how to use and deploy, at github. The task is to port them to OWASP Wiki as well so that it can be accessed directly.

'''Task Category:'''

Documentation

'''Expected Results:'''

Wiki for mod_csrfprotector library in OWASP.ORG .

'''Knowledge Prerequisites:'''

Familiarity with wiki.
'''References''''
[https://github.com/mebjas/mod_csrfprotector/wiki Github wiki for mod_csrfprotector]

'''Mentors:''' Minhaz

=== Task 5-6: Create screencasts on how to deploy both version of CSRF Protector individually ===
'''Brief Explanation:'''

Create two screencasts, one for each, which explains how to deploy CSRF Protector in your existing web application.

'''Task Category:'''

Screencast

'''Expected Results:'''

Screencasts explaining how to use CSRF Protector with existing web applications.

'''Knowledge Prerequisites:'''

Experience with php, HTML, and Apache (for mod_csrfprotector)

'''Mentors:''' Minhaz

OWASP Code Kids 2015 Ideas

2014-11-08T08:31:10Z

A V Minhaz: /* OWASP CSRF Protector */

=Task Categories=

The tasks are grouped into the categories described below. '''Please make sure each task is assigned a category.'''

'''Code:''' Tasks related to writing or refactoring code.

'''Documentation/Training:''' Tasks related to creating/editing documents and helping others learn more

'''Outreach/Research:''' Tasks related to community management, outreach/marketing, or studying problems and recommending solutions

'''Quality Assurance:''' Tasks related to testing and ensuring code is of high quality

'''User Interface:''' Tasks related to user experience research or user interface design and interaction

== OWASP ZAP ==

=== OWASP ZAP Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP OWTF ==

=== OWASP OWTF Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP WIKI ==

=== Task 1: Latam Tour 2015 logo ===

'''Brief Explanation:'''

Design a new logo for the Latam Tour 2015. The logo must resemble previous editions of the Tour and represent the Latin America region. It would be better if the new logo is based on the OWASP logo. As a reference, here is the Latam Tour 2014 Logo:

https://www.owasp.org/images/f/f3/OWASP_Latam_Tour_Logo_2014.png

'''Task Category:'''

Design

'''Expected Results:'''

Latam Tour 2015 logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Fabio Cerullo

== OWASP WebGoatPHP ==

=== Task 1: Implement "remember me" feature ===

'''Brief Explanation:'''

Implement a secure "Remember me" feature in user login form using cookies. At present the remember me check box is present in the form but it does nothing.

'''Task Category:'''

Code

'''Expected Results:'''

If user checks the "remember me" check box when logging in, then the user will not be required to login every time he visits the application within X days.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/45

'''Code:'''

app/control/user/login.php

'''Mentors:''' Shivam Dixit

=== Task 2: Make workshop mode dashboard responsive ===

'''Brief Explanation:'''

In workshop mode of the application, the side panel of admin dashboard is not responsive i.e it does not fits well in smaller size screen resolutions. If the screen size is small the side panel should shrink into a smaller panel preferably at the bottom of the application.

'''Task Category:'''

Code

'''Expected Results:'''

Panel perfectly adjusts on small screen resolutions.

'''Knowledge Prerequisites:'''

CSS (media queries), HTML

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/26

'''Code:'''

style/dashboard.css

'''Mentors:''' Shivam Dixit

=== Task 3: WebGoatPHP logo ===

'''Brief Explanation:'''

Design a new logo for the application. The logo must resemble various aspects of the application. It would be better if the new logo is based on the OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

WebGoatPHP logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Shivam Dixit

=== Task 4: WebGoatPHP deployment screencast ===

'''Brief Explanation:'''

Deploy the application on the local server without using vagrant and record a screencast of the process. Upload to a video streaming service and comment link on the melange for mentor to review.

'''Task Category:'''

Code

'''Expected Results:'''

The screencast should clearly contain all the steps required for the deployment and how to troubleshoot most common errors in the whole process.

'''Knowledge Prerequisites:'''

Familiarity with an operating system (Linux/Windows)

'''Mentors:''' Shivam Dixit

=== Task 5: Create a SQL injection challenge ===

'''Brief Explanation:'''

Single user mode of WebGoatPHP consist of set of challenges. These challenges simulate various real world security vulnerabilities in web applications. You have to add a challenge under category "Injection Attacks" which simulates a SQL injection vulnerability in single user mode. The input data must be of type string and the challenge should mimic some real world scenario.

'''Task Category:'''

Code

'''Expected Results:'''

A challenge which helps user understand SQLi vulnerability by allowing him to exploit the vulnerability.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://www.owasp.org/index.php/SQL_Injection

https://github.com/shivamdixit/WebGoatPHP/blob/master/README.md#adding-a-lessonchallenge

'''Mentors:''' Shivam Dixit

=== Task 6-20: WebGoatPHP challenges screencast series ===

'''Brief Explanation:'''

In this task you are required to record screencast of how to solve a particular single user mode challenge. The screencast should start by providing an overview of the vulnerability that will be exploited, then step by step instructions on how to exploit the vulnerability. The screencast should conclude on a note that how to avoid this vulnerability in your application. The length of the screencast would vary according to the challenge but it should neither be too long nor too short.

Task - Screencast of challenge.....

Task 6 - HTTP Basic

Task 7 - Using Access Control Matrix

Task 8 - Business Layer Access Control

Task 9 - Path Based Access Control

Task 10 - Same Origin Policy Protection

Task 11 - Forgot Password

Task 12 - Discover clues in HTML

Task 13 - JS Obfuscation

Task 14 - XSS 1 (Reflected)

Task 15 - XSS 2 (Stored)

Task 16 - XSS 3 (DOM)

Task 17 - Fail Open Authentication

Task 18 - Log Spoofing

Task 19 - Numeric SQL Injection

Task 20 - XPATH injection

'''Task Category:'''

Code

'''Expected Results:'''

A screencast explaining the vulnerability involved in a particular challenge.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Shivam Dixit

== OWASP CSRF Protector ==

=== Task 1-2: CSRF Protector logo ===

'''Brief Explanation:'''

Design logos for the for CSRF Protector Project, possibly two versions one for php library and another one for Apache module.
Both of them should resemble OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

OWASP CSRF Protector logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Minhaz

=== Task 3: Porting CSRF Protector PHP Wiki (from Github) to OWASP Wiki ===

'''Brief Explanation:'''

Currently we have wiki on how to use and deploy, at github. The task is to port them to OWASP Wiki as well so that it can be accessed directly.

'''Task Category:'''

Documentation

'''Expected Results:'''

Wiki for CSRF Protector php library in OWASP.ORG .

'''Knowledge Prerequisites:'''

Familiarity with wiki.
'''Reference'''
[https://github.com/mebjas/CSRF-Protector-PHP/wiki Github wiki for CSRF Protector php]
'''Mentors:''' Minhaz

=== Task 4: Porting mod_csrfprotector Wiki (from Github) to OWASP Wiki ===

'''Brief Explanation:'''

Currently we have wiki on how to use and deploy, at github. The task is to port them to OWASP Wiki as well so that it can be accessed directly.

'''Task Category:'''

Documentation

'''Expected Results:'''

Wiki for mod_csrfprotector library in OWASP.ORG .

'''Knowledge Prerequisites:'''

Familiarity with wiki.
'''References''''
[https://github.com/mebjas/mod_csrfprotector/wiki Github wiki for mod_csrfprotector]

'''Mentors:''' Minhaz

=== Task 5-6: Create screencast on how to deploy both version of CSRF Protector individually ===
'''Brief Explanation:'''

Create two screencasts, one for each, which explains how to deploy CSRF Protector in your existing web application.

'''Task Category:'''

Screencast

'''Expected Results:'''
Screencasts explaining how to use CSRF Protector with existing web applications.

'''Knowledge Prerequisites:'''
Experience with php, HTML, and Apache (for mod_csrfprotector)

'''Mentors:''' Minhaz

User:A V Minhaz

2014-11-08T08:20:38Z

A V Minhaz: /* Personal */

OWASP Code Kids 2015 Ideas

2014-11-08T08:19:08Z

A V Minhaz: /* Task 1: CSRF Protector logo */

=Task Categories=

The tasks are grouped into the categories described below. '''Please make sure each task is assigned a category.'''

'''Code:''' Tasks related to writing or refactoring code.

'''Documentation/Training:''' Tasks related to creating/editing documents and helping others learn more

'''Outreach/Research:''' Tasks related to community management, outreach/marketing, or studying problems and recommending solutions

'''Quality Assurance:''' Tasks related to testing and ensuring code is of high quality

'''User Interface:''' Tasks related to user experience research or user interface design and interaction

== OWASP ZAP ==

=== OWASP ZAP Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP OWTF ==

=== OWASP OWTF Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP WIKI ==

=== Task 1: Latam Tour 2015 logo ===

'''Brief Explanation:'''

Design a new logo for the Latam Tour 2015. The logo must resemble previous editions of the Tour and represent the Latin America region. It would be better if the new logo is based on the OWASP logo. As a reference, here is the Latam Tour 2014 Logo:

https://www.owasp.org/images/f/f3/OWASP_Latam_Tour_Logo_2014.png

'''Task Category:'''

Design

'''Expected Results:'''

Latam Tour 2015 logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Fabio Cerullo

== OWASP WebGoatPHP ==

=== Task 1: Implement "remember me" feature ===

'''Brief Explanation:'''

Implement a secure "Remember me" feature in user login form using cookies. At present the remember me check box is present in the form but it does nothing.

'''Task Category:'''

Code

'''Expected Results:'''

If user checks the "remember me" check box when logging in, then the user will not be required to login every time he visits the application within X days.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/45

'''Code:'''

app/control/user/login.php

'''Mentors:''' Shivam Dixit

=== Task 2: Make workshop mode dashboard responsive ===

'''Brief Explanation:'''

In workshop mode of the application, the side panel of admin dashboard is not responsive i.e it does not fits well in smaller size screen resolutions. If the screen size is small the side panel should shrink into a smaller panel preferably at the bottom of the application.

'''Task Category:'''

Code

'''Expected Results:'''

Panel perfectly adjusts on small screen resolutions.

'''Knowledge Prerequisites:'''

CSS (media queries), HTML

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/26

'''Code:'''

style/dashboard.css

'''Mentors:''' Shivam Dixit

=== Task 3: WebGoatPHP logo ===

'''Brief Explanation:'''

Design a new logo for the application. The logo must resemble various aspects of the application. It would be better if the new logo is based on the OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

WebGoatPHP logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Shivam Dixit

=== Task 4: WebGoatPHP deployment screencast ===

'''Brief Explanation:'''

Deploy the application on the local server without using vagrant and record a screencast of the process. Upload to a video streaming service and comment link on the melange for mentor to review.

'''Task Category:'''

Code

'''Expected Results:'''

The screencast should clearly contain all the steps required for the deployment and how to troubleshoot most common errors in the whole process.

'''Knowledge Prerequisites:'''

Familiarity with an operating system (Linux/Windows)

'''Mentors:''' Shivam Dixit

=== Task 5: Create a SQL injection challenge ===

'''Brief Explanation:'''

Single user mode of WebGoatPHP consist of set of challenges. These challenges simulate various real world security vulnerabilities in web applications. You have to add a challenge under category "Injection Attacks" which simulates a SQL injection vulnerability in single user mode. The input data must be of type string and the challenge should mimic some real world scenario.

'''Task Category:'''

Code

'''Expected Results:'''

A challenge which helps user understand SQLi vulnerability by allowing him to exploit the vulnerability.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://www.owasp.org/index.php/SQL_Injection

https://github.com/shivamdixit/WebGoatPHP/blob/master/README.md#adding-a-lessonchallenge

'''Mentors:''' Shivam Dixit

=== Task 6-20: WebGoatPHP challenges screencast series ===

'''Brief Explanation:'''

In this task you are required to record screencast of how to solve a particular single user mode challenge. The screencast should start by providing an overview of the vulnerability that will be exploited, then step by step instructions on how to exploit the vulnerability. The screencast should conclude on a note that how to avoid this vulnerability in your application. The length of the screencast would vary according to the challenge but it should neither be too long nor too short.

Task - Screencast of challenge.....

Task 6 - HTTP Basic

Task 7 - Using Access Control Matrix

Task 8 - Business Layer Access Control

Task 9 - Path Based Access Control

Task 10 - Same Origin Policy Protection

Task 11 - Forgot Password

Task 12 - Discover clues in HTML

Task 13 - JS Obfuscation

Task 14 - XSS 1 (Reflected)

Task 15 - XSS 2 (Stored)

Task 16 - XSS 3 (DOM)

Task 17 - Fail Open Authentication

Task 18 - Log Spoofing

Task 19 - Numeric SQL Injection

Task 20 - XPATH injection

'''Task Category:'''

Code

'''Expected Results:'''

A screencast explaining the vulnerability involved in a particular challenge.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Shivam Dixit

== OWASP CSRF Protector ==

=== Task 1: CSRF Protector logo ===

'''Brief Explanation:'''

Design logos for the for CSRF Protector Project, possibly two versions one for php library and another one for Apache module

'''Task Category:'''

Design

'''Expected Results:'''

OWASP CSRF Protector logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Minhaz

=== Task 2: Porting CSRF Protector PHP Wiki (from Github) to OWASP Wiki ===

'''Brief Explanation:'''

Currently we have wiki on how to use and deploy, at github. The task is to port them to OWASP Wiki as well so that it can be accessed directly.

'''Task Category:'''

Documentation

'''Expected Results:'''

Wiki for CSRF Protector php library in OWASP.ORG .

'''Knowledge Prerequisites:'''

Familiarity with wiki.

'''Mentors:''' Minhaz

=== Task 3: Porting mod_csrfprotector Wiki (from Github) to OWASP Wiki ===

'''Brief Explanation:'''

Currently we have wiki on how to use and deploy, at github. The task is to port them to OWASP Wiki as well so that it can be accessed directly.

'''Task Category:'''

Documentation

'''Expected Results:'''

Wiki for mod_csrfprotector library in OWASP.ORG .

'''Knowledge Prerequisites:'''

Familiarity with wiki.

'''Mentors:''' Minhaz

OWASP Code Kids 2015 Ideas

2014-11-07T20:25:52Z

A V Minhaz:

=Task Categories=

The tasks are grouped into the categories described below. '''Please make sure each task is assigned a category.'''

'''Code:''' Tasks related to writing or refactoring code.

'''Documentation/Training:''' Tasks related to creating/editing documents and helping others learn more

'''Outreach/Research:''' Tasks related to community management, outreach/marketing, or studying problems and recommending solutions

'''Quality Assurance:''' Tasks related to testing and ensuring code is of high quality

'''User Interface:''' Tasks related to user experience research or user interface design and interaction

== OWASP ZAP ==

=== OWASP ZAP Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP OWTF ==

=== OWASP OWTF Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP WIKI ==

=== Task 1: Latam Tour 2015 logo ===

'''Brief Explanation:'''

Design a new logo for the Latam Tour 2015. The logo must resemble previous editions of the Tour and represent the Latin America region. It would be better if the new logo is based on the OWASP logo. As a reference, here is the Latam Tour 2014 Logo:

https://www.owasp.org/images/f/f3/OWASP_Latam_Tour_Logo_2014.png

'''Task Category:'''

Design

'''Expected Results:'''

Latam Tour 2015 logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Fabio Cerullo

== OWASP WebGoatPHP ==

=== Task 1: Implement "remember me" feature ===

'''Brief Explanation:'''

Implement a secure "Remember me" feature in user login form using cookies. At present the remember me check box is present in the form but it does nothing.

'''Task Category:'''

Code

'''Expected Results:'''

If user checks the "remember me" check box when logging in, then the user will not be required to login every time he visits the application within X days.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/45

'''Code:'''

app/control/user/login.php

'''Mentors:''' Shivam Dixit

=== Task 2: Make workshop mode dashboard responsive ===

'''Brief Explanation:'''

In workshop mode of the application, the side panel of admin dashboard is not responsive i.e it does not fits well in smaller size screen resolutions. If the screen size is small the side panel should shrink into a smaller panel preferably at the bottom of the application.

'''Task Category:'''

Code

'''Expected Results:'''

Panel perfectly adjusts on small screen resolutions.

'''Knowledge Prerequisites:'''

CSS (media queries), HTML

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/26

'''Code:'''

style/dashboard.css

'''Mentors:''' Shivam Dixit

=== Task 3: WebGoatPHP logo ===

'''Brief Explanation:'''

Design a new logo for the application. The logo must resemble various aspects of the application. It would be better if the new logo is based on the OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

WebGoatPHP logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Shivam Dixit

=== Task 4: WebGoatPHP deployment screencast ===

'''Brief Explanation:'''

Deploy the application on the local server without using vagrant and record a screencast of the process. Upload to a video streaming service and comment link on the melange for mentor to review.

'''Task Category:'''

Code

'''Expected Results:'''

The screencast should clearly contain all the steps required for the deployment and how to troubleshoot most common errors in the whole process.

'''Knowledge Prerequisites:'''

Familiarity with an operating system (Linux/Windows)

'''Mentors:''' Shivam Dixit

=== Task 5: Create a SQL injection challenge ===

'''Brief Explanation:'''

Single user mode of WebGoatPHP consist of set of challenges. These challenges simulate various real world security vulnerabilities in web applications. You have to add a challenge under category "Injection Attacks" which simulates a SQL injection vulnerability in single user mode. The input data must be of type string and the challenge should mimic some real world scenario.

'''Task Category:'''

Code

'''Expected Results:'''

A challenge which helps user understand SQLi vulnerability by allowing him to exploit the vulnerability.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://www.owasp.org/index.php/SQL_Injection

https://github.com/shivamdixit/WebGoatPHP/blob/master/README.md#adding-a-lessonchallenge

'''Mentors:''' Shivam Dixit

=== Task 6-20: WebGoatPHP challenges screencast series ===

'''Brief Explanation:'''

In this task you are required to record screencast of how to solve a particular single user mode challenge. The screencast should start by providing an overview of the vulnerability that will be exploited, then step by step instructions on how to exploit the vulnerability. The screencast should conclude on a note that how to avoid this vulnerability in your application. The length of the screencast would vary according to the challenge but it should neither be too long nor too short.

Task - Screencast of challenge.....

Task 6 - HTTP Basic

Task 7 - Using Access Control Matrix

Task 8 - Business Layer Access Control

Task 9 - Path Based Access Control

Task 10 - Same Origin Policy Protection

Task 11 - Forgot Password

Task 12 - Discover clues in HTML

Task 13 - JS Obfuscation

Task 14 - XSS 1 (Reflected)

Task 15 - XSS 2 (Stored)

Task 16 - XSS 3 (DOM)

Task 17 - Fail Open Authentication

Task 18 - Log Spoofing

Task 19 - Numeric SQL Injection

Task 20 - XPATH injection

'''Task Category:'''

Code

'''Expected Results:'''

A screencast explaining the vulnerability involved in a particular challenge.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Shivam Dixit

== OWASP CSRF Protector ==

=== Task 1: CSRF Protector logo ===

'''Brief Explanation:'''

Design a logo for the for OWASP CSRF Protector Project, possibly two versions one for php library and another for Apache module

'''Task Category:'''

Design

'''Expected Results:'''

OWASP CSRF Protector logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Minhaz

CSRF Mitigation methods

2014-09-20T20:20:46Z

A V Minhaz:

{{Template:Attack}}

[[Category:OWASP ASDR Project]]
 
===Note===
This wiki is currently incomplete! Feel free to contribute!

===Overview===
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
 For more information on CSRF visit:
 
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) CSRF OWASP Wiki]
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]

===OWASP CSRF Protector Project===
OWASP CSRF Protector is a new anti CSRF method to mitigate CSRF based attacks in web applications. It comes in two parts :
* Standalone php library: This library can be both easily integrated with both existing web application or easily used while developing a new one.
* Transparent Apache Module: Can be installed on Apache 2.x.x servers to provide CSRF mitigation without doing any modification in web application logic or codes.

====Features====
{| class="wikitable"
|-
! Properties / Tool
! CSRF Protector - php library
! mod_csrfprotector apache module
|-
| Dependencies
| None
| None
|-
| Works with
| php >= 4.3
| Apache 2.2.x
|-
| Current Status
| Alpha Version released
| Alpha Version released
|-
| Protection
| CSRF Protection for php web applications
| CSRF Protection for apache 2.2.x servers, irrespective of languages used as server side script!
|-
| NOJS Support
| Yes (Separate version supporting NoJS)
| No
|-
| More Information
| [https://www.owasp.org/index.php/CSRFProtector_Project Wiki] [https://github.com/mebjas/CSRF-Protector-PHP Github Repository]
| [https://www.owasp.org/index.php/CSRFProtector_Project Wiki] [https://github.com/mebjas/mod_csrfprotector Github Repository]
|}
===OWASP CSRF Guard Project===
The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. It comes in two parts:
* A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
* A JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.

{| class="wikitable"
|-
! Properties / Tool
! CSRF Guard
|-
| Dependencies
| -
|-
| Works with
| -
|-
| Current Status
| -
|-
| Protection
| -
|-
| NOJS Support
| -
|-
| More Information
| [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project Wiki] [https://github.com/aramrami/OWASP-CSRFGuard-3 Github Repository]
|}

CSRF Mitigation methods

2014-09-20T20:19:59Z

A V Minhaz:

{{Template:Attack}}

[[Category:OWASP ASDR Project]]
 

===Overview===
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
 For more information on CSRF visit:
 
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) CSRF OWASP Wiki]
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]

===OWASP CSRF Protector Project===
OWASP CSRF Protector is a new anti CSRF method to mitigate CSRF based attacks in web applications. It comes in two parts :
* Standalone php library: This library can be both easily integrated with both existing web application or easily used while developing a new one.
* Transparent Apache Module: Can be installed on Apache 2.x.x servers to provide CSRF mitigation without doing any modification in web application logic or codes.

====Features====
{| class="wikitable"
|-
! Properties / Tool
! CSRF Protector - php library
! mod_csrfprotector apache module
|-
| Dependencies
| None
| None
|-
| Works with
| php >= 4.3
| Apache 2.2.x
|-
| Current Status
| Alpha Version released
| Alpha Version released
|-
| Protection
| CSRF Protection for php web applications
| CSRF Protection for apache 2.2.x servers, irrespective of languages used as server side script!
|-
| NOJS Support
| Yes (Separate version supporting NoJS)
| No
|-
| More Information
| [https://www.owasp.org/index.php/CSRFProtector_Project Wiki] [https://github.com/mebjas/CSRF-Protector-PHP Github Repository]
| [https://www.owasp.org/index.php/CSRFProtector_Project Wiki] [https://github.com/mebjas/mod_csrfprotector Github Repository]
|}
===OWASP CSRF Guard Project===
The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. It comes in two parts:
* A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
* A JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.

{| class="wikitable"
|-
! Properties / Tool
! CSRF Guard
|-
| Dependencies
| -
|-
| Works with
| -
|-
| Current Status
| -
|-
| Protection
| -
|-
| NOJS Support
| -
|-
| More Information
| [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project Wiki] [https://github.com/aramrami/OWASP-CSRFGuard-3 Github Repository]
|}

Cross-Site Request Forgery (CSRF)

2014-09-20T20:17:46Z

A V Minhaz:

{{Template:Attack}}

[[Category:OWASP ASDR Project]]
 

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Overview==
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

==Related Security Activities==

===How to Review Code for CSRF Vulnerabilities===

See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing code for Cross-Site Request Forgery issues |Reviewing code for CSRF]] Vulnerabilities.

===How to Test for CSRF Vulnerabilities===

See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]] Vulnerabilities.

===How to Prevent CSRF Vulnerabilities===

See the [http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet] for prevention measures.

Listen to the [http://www.owasp.org/download/jmanico/owasp_podcast_69.mp3 OWASP Top Ten CSRF Podcast].

Most frameworks have built-in CSRF support such as [http://docs.joomla.org/How_to_add_CSRF_anti-spoofing_to_forms Joomla], [http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html Spring], [http://web.securityinnovation.com/appsec-weekly/blog/bid/84318/Cross-Site-Request-Forgery-CSRF-Prevention-Using-Struts-2 Struts], [http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf Ruby on Rails], [http://www.troyhunt.com/2010/11/owasp-top-10-for-net-developers-part-5.html .NET] and others.

John Melton also has an [http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross-site-request-forgery-csrf/ excellent blog post] describing how to use the native anti-CSRF functionality of the [http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI].

==Description==
Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.

For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user's session cookie, basic auth credentials, IP address, Windows domain credentials, etc. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish this from a legitimate user request.

In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website.

Sometimes, it is possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.

Synonyms: CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation.

===Prevention measures that do '''NOT''' work===
;Using a secret cookie
:Remember that all cookies, even the ''secret'' ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request.

;Only accepting POST requests
:Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in attacker's website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks form will do something else.


==Examples==

===How does the attack work?===
There are numerous ways in which an end-user can be tricked into loading information from or submitting information to a web application. In order to execute an attack, we must first understand how to generate a malicious request for our victim to execute. Let us consider the following example: Alice wishes to transfer $100 to Bob using ''bank.com'' web application that is vulnerable to CSRF. Maria, an attacker, wants to trick Alice to send the money to her instead. The attack will comprise of the following steps:

* building an exploit URL or script,
* tricking Alice into executing it with [[Social Engineering]]

====GET scenario====
If the application was designed to primarily use GET requrests to transfer parameters and execute actions, the money transfer operation might be reduced to such request:

GET <nowiki>http://bank.com/transfer.do?acct=BOB&amount=100</nowiki> HTTP/1.1

Maria now decides to exploit this web application vulnerability using Alice as her victim. Maria first constructs the following exploit URL which will transfer $100,000 from Alice's account to her account. She takes the original command URL and replaces the beneficiary name with herself, raising the transfer amount significantly at the same time:

<nowiki>http://bank.com/transfer.do?acct=MARIA&amount=100000</nowiki>

The [[Social Engineering]] part of the attack will be now to trick Alice to load this URL when she's logged into the bank. This is usually done with one of the following techniques:

* sending an unsolicited email with HTML content
* planting exploit URL or script on pages that are likely to be visited by the victim.

The exploit URL can be disguised either as ordinary link, encouraging the victim to click it:

<nowiki><a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a></nowiki>

Or by a 1x1 fake image:

<nowiki><img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0"></nowiki>

If this image tag were included in the email, Alice would only see a little box indicating that the browser could not render the image. However, the browser ''will still'' submit the request to bank.com without any visual indication that the transfer has taken place.

A real life example of CSRF attack on application using GET was [http://xs-sniper.com/blog/2008/04/21/csrf-pwns-your-box/ uTorrent exploit] from 2008 that was used on mass scale to download malware.

====POST scenario====
The only difference when POST requests are being is how the attack is being executed by the victim. Let's assume the bank now uses POST and the vulnerable request looks like this:

POST <nowiki>http://bank.com/transfer.do</nowiki> HTTP/1.1

acct=BOB&amount=100

Such request cannot be delivered using standard A or IMG tags, but can be delivered using FORM tag:

<form action="<nowiki>http://bank.com/transfer.do</nowiki>" method="POST">
<input type="hidden" name="acct" value="MARIA"/>
<input type="hidden" name=amount" value="100000"/>
<input type="submit" value="View my pictures"/>
</form>

This form will require user clicking the submit button, but this can be also executed automatically using JavaScript:

<body onload="document.forms[0].submit()">
<form...

====Other HTTP methods====
Modern web application APIs are frequently using other HTTP methods such as PUT or DELETE. Let's assume the vulnerable bank uses PUT method that takes JSON block as an argument:

PUT <nowiki>http://bank.com/transfer.do</nowiki> HTTP/1.1

{"acct":"BOB", "amount":100}

Such requests can be executed with JavaScript embedded into an exploit page:

<script>
function put() {
var x = new XMLHttpRequest();
x.open("PUT","<nowiki>http://bank.com/transfer.do</nowiki>",true);
x.setRequestHeader("Content-Type", "application/json");
x.send(JSON.stringify('{"acct":"BOB", "amount":100}'));
}
</script>
<body onload="put()">

Fortunately, this request will be '''not''' executed by modern web browsers thanks to [[Same-Origin Policy]] restrictions. This restriction will be however enabled only if the target web site does not explicitly open up their [[HTML5 Security Cheat Sheet#Cross_Origin_Resource_Sharing|CORS]] with the following header:

Access-Control-Allow-Origin: *


==Related [[Attacks]]==
* [[Cross-site Scripting (XSS)]]
* [[Cross Site History Manipulation (XSHM)]]


==Related [[Controls]]==
* Add a per-request nonce to URL and all forms in addition to the standard session. This is also referred to as "form keys". Many frameworks (ex, Drupal.org 4.7.4+) either have or are starting to include this type of protection "built-in" to every form so the programmer does not need to code this protection manually.
* TBD: Add a per-session nonce to URL and all forms
* TBD: Add a hash(session id, function name, server-side secret) to URL and all forms
* TBD: .NET - add session identifier to ViewState with MAC
* Checking the referrer in the client's HTTP request will prevent CSRF attacks. By ensuring the HTTP request have come from the original site means that the attacks from other sites will not function. It is very common to see referrer checks used on embedded network hardware due to memory limitations. XSS can be used to bypass both referrer and token based checks simultaneously. For instance the Sammy Worm used an XHR to obtain the CSRF token to forge requests.
* "Although cross-site request forgery is fundamentally a problem with the web application, not the user, users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session." -http://en.wikipedia.org/wiki/Cross-site_request_forgery#_note-1
* [[Tokenizing]]

==References==
* [http://www.cgisecurity.com/articles/csrf-faq.shtml The Cross-Site Request Forgery (CSRF/XSRF) FAQ]
: ''quote: "This paper serves as a living document for Cross-Site Request Forgery issues. This document will serve as a repository of information from existing papers, talks, and mailing list postings and will be updated as new information is discovered."''

* [[Testing for CSRF (OWASP-SM-005)|Testing for CSRF]]
: CSRF (aka Session riding) paper from the OWASP Testing Guide project (need to integrate)

* [http://www.darkreading.com/document.asp?doc_id=107651&WT.svl=news1_2 CSRF Vulnerability: A 'Sleeping Giant']
: Overview Paper

* [http://www.owasp.org/index.php/Image:RequestRodeo-MartinJohns.pdf Client Side Protection against Session Riding]
: Martin Johns and Justus Winter's interesting paper and presentation for the 4th OWASP AppSec Conference which described potential techniques that browsers could adopt to automatically provide CSRF protection - [http://www.owasp.org/index.php/Image:RequestRodeo-MartinJohns.pdf PDF paper]

* [[:Category:OWASP_CSRFGuard_Project|OWASP CSRF Guard]]
: J2EE, .NET, and PHP Filters which append a unique request token to each form and link in the HTML response in order to provide universal coverage against CSRF throughout your entire application.

* [http://owasp.org/index.php/CSRFProtector_Project OWASP CSRF Protector]
: a new anti CSRF method to mitigate CSRF in web applications. Currently implemented as a php library & Apache 2.x.x module

* [http://yehg.net/lab/pr0js/view.php/A_Most-Neglected_Fact_About_CSRF.pdf A Most-Neglected Fact About Cross Site Request Forgery (CSRF) ]
: Aung Khant, http://yehg.net, explained the danger and impact of CSRF with imperiling scenarios.

* [[:Category:OWASP CSRFTester Project|OWASP CSRF Tester]]
: The OWASP CSRFTester gives developers the ability to test their applications for CSRF flaws.

* [http://code.google.com/p/pinata-csrf-tool/ Pinata-CSRF-Tool: CSRF POC tool]
: Pinata makes it easy to create Proof of Concept CSRF pages. Assists in Application Vulnerability Assessment.

[[Category:Exploitation of Authentication]]
[[Category:Embedded Malicious Code]]
[[Category:Spoofing]]
[[Category: Attack]]

Category:OWASP CSRFGuard Project

2014-09-20T06:22:24Z

A V Minhaz: /* Related Projects */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRFGuard ==

Welcome to the home of the OWASP CSRFGuard Project! OWASP CSRFGuard is a library that implements a variant of the [http://www.corej2eepatterns.com/Design/PresoDesign.htm synchronizer token pattern] to mitigate the risk of [[Cross-Site Request Forgery]] (CSRF) attacks.

==Introduction==

The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.

==Description==

==== Overview ====

OWASP CSRFGuard implements a variant of the synchronizer token pattern to mitigate the risk of CSRF attacks. In order to implement this pattern, CSRFGuard must offer the capability to place the CSRF prevention token within the HTML produced by the protected web application. CSRFGuard 3 provides developers more fine grain control over the injection of the token. Developers can inject the token in their HTML using either dynamic JavaScript DOM manipulation or a JSP tag library. CSRFGuard no longer intercepts and modifies the HttpServletResponse object as was done in previous releases. The currently available token injection strategies are designed to make the integration of CSRFGuard more feasible and scalable within current enterprise web applications. Developers are encouraged to make use of both the JavaScript DOM Manipulation and the JSP tag library strategies for a complete token injection strategy. The JavaScript DOM Manipulation strategy is ideal as it is automated and requires minimal effort on behalf of the developer. In the event the JavaScript solution is insufficient within a particular application context, developers should leverage the JSP tag library. The purpose of this article is to describe the token injection strategies offered by OWASP CSRFGuard 3.

==== JavaScript DOM Manipulation ===

OWASP CSRFGuard 3 supports the ability to dynamically inject CSRF prevention tokens throughout the DOM currently loaded in the user's browser. This strategy is extremely valuable with regards to server-side performance as it simply requires the serving of a dynamic JavaScript file. There is little to no performance hit when the fetched dynamic JavaScript updates the browser's DOM. Making use of the JavaScript token injection solution requires the developer map a Servlet and place a JavaScript HTML tag within all pages sending requests to protected application resources. Developers are strongly encouraged to leverage the JavaScript token injection strategy by default. This strategy requires minimal effort on behalf of the developer as most of the token injection logic is automated. In the event that the JavaScript automated solution may be insufficient for a specific application context, developers should leverage the OWASP CSRFGuard JSP tag library.

'''Note:''' Use of JavaScript DOM Manipulation is required for Ajax support.

[[File:CSRGuard.PNG|300px|thumb|left|CSRFGuard Architecture]]

== What is CSRFGuard? ==

OWASP CSRFGuard provides:

* A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
* A JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.

==Licensing==
The CSRFGuard project is run by Azzeddine RAMRAMI. He can be contacted at azzeddine.ramrami AT owasp.org. CSRFGuard distributions are currently maintained on GitHub.

OWASP CSRFGuard 3.1 is offered under the BSD license

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Presentation & Manual ==

Link to presentation

https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection

== Project Leader ==

The CSRFGuard project is run by Azzeddine RAMRAMI. He can be contacted at azzeddine.ramrami AT owasp.org.

== Related Projects ==

:*[http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project OWASP CSRFTester ] - utility to assist in the testing and generating PoC for CSRF attacks.
:*[[Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet | OWASP CSRF Prevention Cheat Sheet]] - provides a more holistic overview of CSRF prevention strategies and associated frameworks.
:*http://www.owasp.org/index.php/PHP_CSRF_Guard - project implementing CSRFGuard style solution for PHP.
:*http://www.thespanner.co.uk/2007/10/19/jsck/ - project implementing CSRFGuard style solution for PHP and JavaScript.
:*http://www.owasp.org/index.php/.Net_CSRF_Guard - project implementing CSRFGuard style solution for ASP.NET.
:*https://www.owasp.org/index.php/CSRFProtector_Project - CSRF Protector Project - Implements new Anti CSRF method in web applications

== Ohloh ==

*https://www.ohloh.net/p/OWASP-CSRFGuard

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

Download and build the latest source code from GitHub :

* https://github.com/aramrami/OWASP-CSRFGuard-3

Download and build the latest source code from GitHub - https://github.com/aramrami/OWASP-CSRFGuard-3

[[CSRFGuard_Deprecated_Releases | Deprecated Releases]] - article containing several download references to deprecated and officially unsupported releases

== User Manual(s) ==

[[CSRFGuard_3_User_Manual | OWASP CSRFGuard v3 ]] - series of articles describing the installation, configuration, and deployment of OWASP CSRFGuard v3.
== News and Events ==

* [08 Fev 2014] A security fix has been published. See details on GitHub
* [10 Feb 2014] Release 3.1 of CSRFGuard project is now available for download
* [28 Jul 2014] A new Github repository called "OWASP CSRFGuard-3" with issues management has been created

== In Print ==

This project can be purchased as a print on demand book from Lulu.com

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

Here a complete CSRF attacks FAQ:

* http://www.cgisecurity.com/csrf-faq.html

= Acknowledgements =
==Volunteers==

CSRFGuard is developed by a worldwide team of volunteers. The primary contributors to date have been:

* Ahamed Nafeez, Security Engineer.
* Christa Erwin, Security, Programmer/Analyst.

==Others==

* Eric Sheridan was the original designer of CSRFGuard until 3.0 version.

= Road Map and Getting Involved =

As of CSRFGuard the priorities are:
* Address any security vulnerabilities around javascript prototype hijacking
* Support for Internet Explorer
* Addressing outstanding issues listed in GitHub
* Support for Multi-part requests
* Add support for the 'Origin' header

Involvement in the development and promotion of CSRFGurd is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Make fix to the actual version
* Propose a security enhcement
* Write a complete Architecture Folder for CSRFGurd
* Add an IA engine to detect unknown attacks.

=Contact US=
You can sign up for the OWASP CSRFGuard email list at [https://lists.owasp.org/mailman/listinfo/owasp-csrfguard https://lists.owasp.org/mailman/listinfo/owasp-csrfguard]

__NOTOC__ <headertabs />

[[Category:OWASP Project]]

CSRF Mitigation methods

2014-09-20T06:19:49Z

A V Minhaz:

CSRF Mitigation methods

2014-09-20T06:19:10Z

A V Minhaz:

{{Template:Attack}}

[[Category:OWASP ASDR Project]]
 

===Overview===
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
 For more information on CSRF visit:
 
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) CSRF OWASP Wiki]
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]

===OWASP CSRF Protector Project===
OWASP CSRF Protector is a new anti CSRF method to mitigate CSRF based attacks in web applications. It comes in two parts :
* Standalone php library: This library can be both easily integrated with both existing web application or easily used while developing a new one.
* Transparent Apache Module: Can be installed on Apache 2.x.x servers to provide CSRF mitigation without doing any modification in web application logic or codes.

====Features====
{| class="wikitable"
|-
! Properties / Tool
! CSRF Protector - php library
! mod_csrfprotector apache module
|-
| Dependencies
| None
| None
|-
| Works with
| php >= 4.3
| Apache 2.2.x
|-
| Current Status
| Alpha Version released
| Alpha Version released
|-
| Protection
| CSRF Protection for php web applications
| CSRF Protection for apache 2.2.x servers, irrespective of languages used as server side script!
|-
| NOJS Support
| Yes (Separate version supporting NoJS)
| No
| -
| More Information
| [https://www.owasp.org/index.php/CSRFProtector_Project Wiki] [https://github.com/mebjas/CSRF-Protector-PHP Github Repository]
| [https://www.owasp.org/index.php/CSRFProtector_Project Wiki] [https://github.com/mebjas/mod_csrfprotector Github Repository]
|}
===OWASP CSRF Guard Project===
The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. It comes in two parts:
* A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
* A JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.

CSRF Mitigation methods

2014-09-07T20:01:07Z

A V Minhaz:

CSRF Mitigation methods

2014-09-07T20:00:36Z

A V Minhaz:

CSRF Mitigation methods

2014-09-07T19:59:19Z

A V Minhaz:

CSRF Mitigation methods

2014-09-07T19:56:19Z

A V Minhaz:

CSRF Mitigation methods

2014-09-03T12:24:07Z

A V Minhaz:

CSRF Mitigation methods

2014-09-03T12:15:47Z

A V Minhaz:

CSRF Mitigation methods

2014-09-03T12:10:35Z

A V Minhaz: Created page with "{{Template:Attack}} Category:OWASP ASDR Project ===Overview=== CSRF is an attack which forces an end user to execute unwanted actions on a web application in which..."

CSRFMitigation

2014-09-03T12:08:34Z

A V Minhaz:

Different strategies / tools for CSRF mitigation
=======================

CSRFMitigation

2014-08-27T16:45:27Z

A V Minhaz: Created page with "Placeholder for all CSRF Mitigation methods available on internet for now =================="

Placeholder for all CSRF Mitigation methods available on internet for now
==================

CSRF Protector php library

2014-07-26T20:38:32Z

A V Minhaz:

<h2>CSRF Protector php library - Standalone php library for mitigating CSRF vulnerability</h2>

==What is CSRF Protector php library==
Its a standalone php library for mitigating Cross Site Request Forgery (CSRF) vulnerabilities in web applications, which can be used with any existing web application or while developing a new one. [https://github.com/mebjas/CSRF-Protector-PHP/wiki More information available at github wiki]

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms

==Damages Mitigated==
* Cross Site Request Forgery

==How to contribute==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

==Current Status==
Version 0.1.0 Released!

==Download Now==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/download/v0.1.0/csrfp.-php-library.zip - CSRFP php master code] 
[https://github.com/mebjas/CSRF-Protector-PHP/releases/download/v0.1.0/csrfp-php-library-nojs.zip - CSRFP php with nojs support]

CSRFProtector Project

2014-07-26T20:33:10Z

A V Minhaz:

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |
== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.1.0 CSRF Protector PHP library]

== Website ==

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

CSRF Protector php library

2014-07-25T22:15:53Z

A V Minhaz:

<h2>CSRF Protector php library - Standalone php library for mitigating CSRF vulnerability</h2>

==What is CSRF Protector php library==
Its a standalone php library for mitigating Cross Site Request Forgery (CSRF) vulnerabilities in web applications, which can be used with any existing web application or while developing a new one. [https://github.com/mebjas/CSRF-Protector-PHP/wiki More information available at github wiki]

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms

==Damages Mitigated==
* Cross Site Request Forgery

==How to contribute==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

==Current Status==
Version 0.1.0 Released!

==Download Now==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/download/v1.0.0/csrfp.-php-library.zip - CSRFP php master code] 
[https://github.com/mebjas/CSRF-Protector-PHP/releases/download/v1.0.0/csrfp-php-library-nojs.zip - CSRFP php with nojs support]

CSRFProtector Project

2014-07-25T19:23:04Z

A V Minhaz:

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP CSRF Protector Project==
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

==What is CSRF Protector?==
CSRF Protector Project has two parts:
<li>Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
</li>
<li>php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
</li>
==Why CSRF Protector?==
CSRF Protector is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use] 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
==Major Contributors==
*[[User:A_V_Minhaz|Minhaz]]
*[[User:Kevin_W._Wall|Kevin W Wall]]
*[[User:Jmanico|Jim Manico]]
*Abhinav Dahiya

==Features Offered==
CSRF Protection provide protection for:
* Normal HTML forms (POST/GET)
* Normal Get requests (Not enabled by default)
* Ajax Requests (XHR)
* Dynamically generated forms
==Damages Mitigated==
* Cross Site Request Forgery

==Get Involved==
To contribute to the code fork and send a pull to: 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library] 
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]

For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]

| valign="top" style="padding-left:25px;width:200px;" |
== Salient Features ==
* Easy to integrate
* Support for AJAX & GET requests
* Per request token used
* Cross Domain Support (Next version)

== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v1.0.0 CSRF Protector PHP library]

== Website ==

== News and Events ==

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Apache Module =
{{:Mod_csrfprotector}}
= php library =
{{:CSRF_Protector_php_library}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]