PHP CSRF Guard

2012-01-20T22:45:35Z

Greggles: link to download

==PHP CSRF Guard==

If you need to protect against CSRF attacks in your code, this little helper can reduce the risk.

===Architectural Issues===

The main issue with CSRF is the lack of "authentication" of a privileged function. Therefore, in combination with this helper, you should:

* Low value: Consider asking the user (on a new page / form) to re-authenticate using their password to confirm the action
* Medium value: Consider the use of second-factor authentication, such as sending the user an e-mail or SMS message with a random token which they must enter
* High value: disconnected calculator transaction signing the transaction

===Using this code===

* Download the code (see [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP CSRFGuard Project page] for github details)
* Include it within your project
* Use the object to create a hidden field Inside your forms, like this:

?>
<form ... >
<input ...>
<?php echo $cg; ?>
</form>
</code>

When you take the form submission, assert the form's validity:

try
{
$cg->isValid();
// your code here
}
catch (TokenException $e)
{
// handle exception
}
catch (// your exceptions here)

===Caveats on use===

This code is object-orientated. It relies upon PHP 5 only features, and throws a custom exception type. You should familiarize yourself with this coding style if you are still practicing function based PHP coding. It's not hard - see above.

The code is PHP 5 only as this is the safest and most secure version of PHP available today. Your apps should be using PHP 5.2 or later to ensure that your application is running on a secure foundation.

===LIcense===

To allow widespread adoption, this code is licensed under the Creative Commons Share Alike 2.5 License. This allows you to use this in commercial and non-commercial applications alike. This license is GPL friendly.

Denver

2008-07-21T20:11:33Z

Greggles: adding helpful link to Grendel-Scan home page.

{{Chapter Template|chaptername=Denver|extra=Chapter leaders are [mailto:eduprey@gmail.com Eric Duprey] and [mailto:owasp@electricalchemy.org David Campbell]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}

== Next Meeting ==

=== Next Meeting: 16 July 2008 ===

The next meeting is

=== Wednesday, '''July 16th''', 2008 at [http://rpsc.raytheon.com/ Raytheon Polar Services] ===
at [http://maps.google.com/maps?f=q&hl=en&q=7400+s.+tucson+way+80112&ie=UTF8&ll=39.584425,-104.837079&spn=0.007227,0.013089&z=16&iwloc=addr 7400 S. Tucson Way, Centennial, CO 80112].

===Intro to Grendel - a WebApp PenTesting Tool - BRING A LAPTOP===
David Byrne and Eric Duprey will be presenting their latest work - [http://www.grendel-scan.com/ Grendel-Scan]. Grendel is a tool that's been developed to automate some appsec testing.

During this presentation, these guys will show how to use Grendel to accelerate webapp pen testing.

David Byrne is an infosec veteran, with experience ranging from penetration testing for Fortune 100's to architecting security solutions for large multinational financials to consulting for government agencies. David is presently part of the team at Trustwave.

Eric Duprey is a Senior Security Engineer for Dish Network Corporation and co-leader of the Denver OWASP Chapter.

Updates will be spammed to the Chapter Mailing List.

Agenda:

6-6:30 Dinner (at Raytheon Polar; pizza provided by [http://www.trustwave.com TrustWave].

6:30 - 6:40 Chapter business

6:40 - 8:00 Presentation and Q&A

Following the meeting we will have informal discussions over beverages at [http://maps.google.com/maps?f=q&hl=en&q=jd+bait+shop+denver&ie=UTF8&z=10&iwloc=A JD's Bait Shop].

-----------------------------------------------------------------------

----

===Questions, Comments===
Questions can be directed to
*[mailto:dcampbell@owasp.org David Campbell, Denver OWASP]
*[mailto:eduprey@gmail.com Eric Duprey, Denver OWASP]

== Future Meetings ==

16 July 2008: David Byrne and Eric Duprey: Presenting a brand new Open Source Web-App Vulnerability Scanner!

[http://www.denimgroup.com/about_team_dan.html 20 August 2008: Dan Cornell]

September 2008: available

October 2008: available

November 2008: available

December 2008: available

== Past Meetings ==

[[Front Range OWASP Conference|June 2008]]

[[Denver May 2008 meeting|May 2008]]

[[Denver April 2008 meeting|April 2008]]

[[Denver February 2008 meeting|February 2008]]

[[Denver June 2007 meeting|June 2007]]

[[Denver April 2007 meeting|April 2007]]

[[Denver February 2007 meeting|February 2007]]

[[Denver January 2007 meeting|January 2007]]

[[Denver November 2006 meeting|November 2006]]

----

==Chapter Planning Pages==
[[Front Range Web Application Security Summit Planning Page|Front Range Web Application Security Summit Planning]]

OWASP - User contributions [en]

PHP CSRF Guard

Denver