This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

CSRFProtector Project

From OWASP
Jump to: navigation, search

OWASP CSRF Protector Project

OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

GitHub Repo - php library
GitHub Repo - Apache module


What is CSRF Protector?

CSRF Protector Project has two parts:

  • Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
  • php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. View More

  • Its based on the research paper A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011

    Why CSRF Protector?

    CSRF Protector is suitable for three group of developers:

    • Framework Developers can use the libraries and tools to strengthen their framework security
    • PHP Application Developers can use the library and tools to enhance their application security
    • New PHP Developers can use the tools and libraries to create secure applications from scratch

    Project leader

    How to use

    See github wiki - How to use
    Gihub wiki

    Major Contributors

    Features Offered

    CSRF Protection provide protection for:

    • Normal HTML forms (POST/GET)
    • Normal Get requests (Not enabled by default)
    • Ajax Requests (XHR)
    • Dynamically generated forms

    Damages Mitigated

    • Cross Site Request Forgery

    Get Involved

    To contribute to the code fork and send a pull to:
    GitHub Repo - php library
    GitHub Repo - Apache module
    Todofy - php library
    Todofy - Apache module

    For discussions, join our mailing list: - Mailing List

    Salient Features

    • Easy to integrate
    • Support for AJAX & GET requests
    • Per request token used
    • Cross Domain Support (Next version)

    Quick Download

    CSRFProtector PHP

    Quick Links

    - SlideShare Deck

    News and Events

    Classifications

    Owasp-incubator-trans-85.png Owasp-builders-small.png
    Owasp-defenders-small.png
    Cc-button-y-sa-small.png

    mod_csrfprotector - Apache 2.x.x Modules for mitigating CSRF attacks

    What is mod_csrfprotector

    Its an Apache 2.x.x Module (Currently 2.2.x) under development. It can be installed and configured in any Apache Server to protect it against Cross Site Request Forgery attacks. mod_csrfprotector provides protection to both POST and GET requests (not enabled by default).

    How mod_csrfprotector works?

    Once installed in Apache Server, every request that is made to the server, and validated against CSRF attacks by the input filters. Input filter follows a protocol as mentioned by developer in configuration, which helps the module to decide weather to validated the request. The input filter checks for appropriate token sent with request. Request if forwarded to other filters or content generator (like php or cgi) in validation is successful. Otherwise, appropriate actions are taken as per configuration. For ex: 403, Forbidden header is send to client. The Output filter, checks for content type of output generated by content generator and if it is `text/html` or `text/xhtml` it appends javascript code to the output. This js code in client side is responsible for attaching CSRFP_token with every required request sent from client.

    Features Offered

    CSRF Protection provide protection for:

    • Normal HTML forms (POST/GET)
    • Normal Get requests (Not enabled by default)
    • Ajax Requests (XHR)
    • Dynamically generated forms

    Damages Mitigated

    • Cross Site Request Forgery

    How to contribute

    To contribute to the code fork and send a pull to:
    GitHub Repo - mod_csrfprotector

    For discussions, join our mailing list: - Mailing List

    TODOs

    All todos for mod_csrfprotector are listed at: todofy: mod_csrfprotector

    Current Status

    Under Development

    CSRF Protector php library - Standalone php library for mitigating CSRF vulnerability

    What is CSRF Protector php library

    Its a standalone php library for mitigating Cross Site Request Forgery (CSRF) vulnerabilities in web applications, which can be used with any existing web application or while developing a new one. More information available at github wiki

    Features Offered

    CSRF Protection provide protection for:

    • Normal HTML forms (POST/GET)
    • Normal Get requests (Not enabled by default)
    • Ajax Requests (XHR)
    • Dynamically generated forms

    Damages Mitigated

    • Cross Site Request Forgery

    How to contribute

    To contribute to the code fork and send a pull to:
    GitHub Repo

    For discussions, join our mailing list: - Mailing List

    Current Status

    Version 1.0.0 Released!

    TODOs

    All todos for CSRF Protector PHP are listed at: todofy - CSRF Protector PHP

    Download Now

    - CSRFP php master code