This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "CSRFProtector Project"

From OWASP

Jump to: navigation, search

Latest revision as of 22:12, 15 March 2018

Main
Apache Module
php library

OWASP CSRF Protector Project

OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

GitHub Repo - php library
GitHub Repo - Apache module

What is CSRF Protector?

CSRF Protector Project has two parts:

Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.

php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. View More

Its based on the research paper A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011

Why CSRF Protector?

CSRF Protector is suitable for three group of developers:

Framework Developers can use the libraries and tools to strengthen their framework security
PHP Application Developers can use the library and tools to enhance their application security
New PHP Developers can use the tools and libraries to create secure applications from scratch

Project leader

Minhaz

How to use

See github wiki - How to use
Gihub wiki

Major Contributors

Features Offered

CSRF Protection provide protection for:

Normal HTML forms (POST/GET)
Normal Get requests (Not enabled by default)
Ajax Requests (XHR)
Dynamically generated forms

Damages Mitigated

Cross Site Request Forgery

Get Involved

To contribute to the code fork and send a pull to:
GitHub Repo - php library
GitHub Repo - Apache module
Todofy - php library
Todofy - Apache module

For discussions, join our mailing list: - Mailing List

Salient Features

Easy to integrate
Support for AJAX & GET requests
Per request token used
Cross Domain Support (Next version)

Quick Download

CSRFProtector PHP

Quick Links

- SlideShare Deck

News and Events

Classifications

mod_csrfprotector - Apache 2.x.x Modules for mitigating CSRF attacks

What is mod_csrfprotector

Its an Apache 2.x.x Module (Currently 2.2.x) under development. It can be installed and configured in any Apache Server to protect it against Cross Site Request Forgery attacks. mod_csrfprotector provides protection to both POST and GET requests (not enabled by default).

How mod_csrfprotector works?

Once installed in Apache Server, every request that is made to the server, and validated against CSRF attacks by the input filters. Input filter follows a protocol as mentioned by developer in configuration, which helps the module to decide weather to validated the request. The input filter checks for appropriate token sent with request. Request if forwarded to other filters or content generator (like php or cgi) in validation is successful. Otherwise, appropriate actions are taken as per configuration. For ex: 403, Forbidden header is send to client. The Output filter, checks for content type of output generated by content generator and if it is `text/html` or `text/xhtml` it appends javascript code to the output. This js code in client side is responsible for attaching CSRFP_token with every required request sent from client.

Features Offered

CSRF Protection provide protection for:

Normal HTML forms (POST/GET)
Normal Get requests (Not enabled by default)
Ajax Requests (XHR)
Dynamically generated forms

Damages Mitigated

Cross Site Request Forgery

How to contribute

To contribute to the code fork and send a pull to:
GitHub Repo - mod_csrfprotector

For discussions, join our mailing list: - Mailing List

TODOs

All todos for mod_csrfprotector are listed at: todofy: mod_csrfprotector

Current Status

Under Development

CSRF Protector php library - Standalone php library for mitigating CSRF vulnerability

What is CSRF Protector php library

Its a standalone php library for mitigating Cross Site Request Forgery (CSRF) vulnerabilities in web applications, which can be used with any existing web application or while developing a new one. More information available at github wiki

Features Offered

CSRF Protection provide protection for:

Normal HTML forms (POST/GET)
Normal Get requests (Not enabled by default)
Ajax Requests (XHR)
Dynamically generated forms

Damages Mitigated

Cross Site Request Forgery

How to contribute

To contribute to the code fork and send a pull to:
GitHub Repo

For discussions, join our mailing list: - Mailing List

Current Status

Version 1.0.0 Released!

TODOs

All todos for CSRF Protector PHP are listed at: todofy - CSRF Protector PHP

Download Now

- CSRFP php master code

Retrieved from "https://wiki.owasp.org/index.php?title=CSRFProtector_Project&oldid=238652"

Categories:

@@ Line 2: / Line 2: @@
 {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
-| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 ==OWASP CSRF Protector Project==
@@ Line 17: / Line 17: @@
 <li><b>php library: </b> A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
 </li>
+<br>
+Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]
 ==Why CSRF Protector?==
 CSRF Protector is suitable for three group of developers:
@@ Line 26: / Line 29: @@
 ==Project leader==
-[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]
+*[[User:A_V_Minhaz|Minhaz]]
+| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
-| valign="top"  style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
 ==How to use==
-[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use  See github wiki - How to use]<br>
+[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use]<br>
 [https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
 ==Major Contributors==
 *[[User:A_V_Minhaz|Minhaz]]
 *[[User:Kevin_W._Wall|Kevin W Wall]]
+*[[User:Abbas Naderi|Abbas Naderi]]
 *[[User:Jmanico|Jim Manico]]
 *Abhinav Dahiya
@@ Line 50: / Line 55: @@
 To contribute to the code fork and send a pull to:<br>
 [https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library]<br>
-[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]
+[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]<br>
+[https://todofy.org/r/mebjas/CSRF-Protector-PHP Todofy - php library]<br>
+[https://todofy.org/r/mebjas/mod_csrfprotector Todofy - Apache module]
 For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]
+| valign="top" style="padding-left:25px;width:200px;" |
-| valign="top"  style="padding-left:25px;width:200px;" |
 == Salient Features ==
 * Easy to integrate
@@ Line 64: / Line 70: @@
 == Quick Download ==
-[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v1.0.0 CSRF Protector PHP library]
+[https://github.com/mebjas/CSRF-Protector-PHP/releases CSRFProtector PHP]
-== Website ==
+== Quick Links ==
+- [http://www.slideshare.net/MinhazAv/csrf-protector SlideShare Deck]
 == News and Events ==
@@ Line 73: / Line 80: @@
     {| width="200" cellpadding="2"
     |-
-    | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
+    | rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
-    | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
+    | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
     |-
-    | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
+    | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
     |-
-    | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
+    | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
     |}
 |}
 = Apache Module =
@@ Line 89: / Line 95: @@
 {{:CSRF_Protector_php_library}}
-__NOTOC__ <headertabs />
+__NOTOC__ <headertabs></headertabs>
-[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]
+[[Category:OWASP Project]]
+[[Category:OWASP_Builders]]
+[[Category:OWASP_Defenders]]
+[[Category:OWASP_Document]]
+[[Category:OWASP_Download]]

Difference between revisions of "CSRFProtector Project"

Latest revision as of 22:12, 15 March 2018

OWASP CSRF Protector Project

What is CSRF Protector?

Why CSRF Protector?

Project leader

How to use

Major Contributors

Features Offered

Damages Mitigated

Get Involved

Salient Features

Quick Download

Quick Links

News and Events

Classifications

mod_csrfprotector - Apache 2.x.x Modules for mitigating CSRF attacks

What is mod_csrfprotector

How mod_csrfprotector works?

Features Offered

Damages Mitigated

How to contribute

TODOs

Current Status

CSRF Protector php library - Standalone php library for mitigating CSRF vulnerability

What is CSRF Protector php library

Features Offered

Damages Mitigated

How to contribute

Current Status

TODOs

Download Now

Navigation menu

Search