This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP CSRFGuard Project"

From OWASP
Jump to: navigation, search
(Source Code)
(Classifications: Added stage and category)
 
(82 intermediate revisions by 9 users not shown)
Line 1: Line 1:
==Overview==
 
  
Just when developers are starting to run in circles over [[Cross Site Scripting]], the [http://www.darkreading.com/document.asp?doc_id=107651&WT.svl=news1_2 'sleeping giant'] awakes for yet another web-catastrophe. [[Cross-Site Request Forgery]] (CSRF) is an attack whereby the victim is tricked into loading information from or submitting information to a web application for which they are currently authenticated. The problem is that the web application has no means of verifying the integrity of the request. The OWASP CSRFGuard Project attempts to address this issue through the use of unique request tokens.
+
=Main=
  
[http://www.owasp.org/index.php/How_CSRFGuard_Works Click here] for more information regarding the design and implementation of CSRFGuard.
+
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div>
  
==License==
+
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 +
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
  
CSRFGuard is offered under the [http://www.gnu.org/copyleft/lesser.html LGPL]. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.
+
==OWASP CSRFGuard ==
  
== News ==
+
Welcome to the home of the OWASP CSRFGuard Project! OWASP CSRFGuard is a library that implements a variant of the [http://www.corej2eepatterns.com/Design/PresoDesign.htm synchronizer token pattern] to mitigate the risk of [[Cross-Site Request Forgery]] (CSRF) attacks.
  
'''13:35, 13 June 2008 (EDT) OWASP CSRFGuard 2.2 Beta Released!'''
+
==Introduction==
  
In my spare time, I had been working on several minor updates to the OWASP CSRFGuard 2.0 release. Several of these updates address bugs that were identified in the previous release. Currently, I am spending a significant amount of time working on internal Aspect Security projects and have not had enough time to complete the release as I had wanted. One particular area that needs work is the inclusion of automated JUnit test cases. Instead of leaving the source lay untouched on my laptop, I've decided to make it available for people to test. Although this release is officially "Beta", it is very stable and '''developers are encouraged to consider testing and upgrading to the latest version'''. The reason for this push is that there are a couple of bugs that were never caught in 2.0. More information regarding the updates to 2.2 Beta can be found [http://www.owasp.org/index.php/CSRFGuard_2.2_ChangeLog here].
+
The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.  
  
== Source Code ==
+
==Description==
  
You can access the SVN repository online at: http://owaspcsrfguard.googlecode.com
+
==== Overview ====
  
== Downloads ==
+
OWASP CSRFGuard implements a variant of the synchronizer token pattern to mitigate the risk of CSRF attacks. In order to implement this pattern, CSRFGuard must offer the capability to place the CSRF prevention token within the HTML produced by the protected web application. CSRFGuard 3 provides developers more fine grain control over the injection of the token. Developers can inject the token in their HTML using either dynamic JavaScript DOM manipulation or a JSP tag library. CSRFGuard no longer intercepts and modifies the HttpServletResponse object as was done in previous releases. The currently available token injection strategies are designed to make the integration of CSRFGuard more feasible and scalable within current enterprise web applications. Developers are encouraged to make use of both the JavaScript DOM Manipulation and the JSP tag library strategies for a complete token injection strategy. The JavaScript DOM Manipulation strategy is ideal as it is automated and requires minimal effort on behalf of the developer. In the event the JavaScript solution is insufficient within a particular application context, developers should leverage the JSP tag library. The purpose of this article is to describe the token injection strategies offered by OWASP CSRFGuard 3.
  
=== Version 1===
+
==== JavaScript DOM Manipulation ====
  
[http://www.owasp.org/index.php/Image:CSRF_Guard.zip Click here] to download the latest version of the OWASP CSRFGuard 1.x series.
+
OWASP CSRFGuard 3 supports the ability to dynamically inject CSRF prevention tokens throughout the DOM currently loaded in the user's browser. This strategy is extremely valuable with regards to server-side performance as it simply requires the serving of a dynamic JavaScript file. There is little to no performance hit when the fetched dynamic JavaScript updates the browser's DOM. Making use of the JavaScript token injection solution requires the developer map a Servlet and place a JavaScript HTML tag within all pages sending requests to protected application resources. Developers are strongly encouraged to leverage the JavaScript token injection strategy by default. This strategy requires minimal effort on behalf of the developer as most of the token injection logic is automated. In the event that the JavaScript automated solution may be insufficient for a specific application context, developers should leverage the OWASP CSRFGuard JSP tag library.
  
=== Version 2===
+
'''Note:''' Use of JavaScript DOM Manipulation is required for Ajax support.
  
[http://www.owasp.org/index.php/Image:OWASP-CSRFGuard-2.0.jar Click here] to download the latest OWASP CSRFGuard 2.0 binary.
 
  
[http://www.owasp.org/index.php/Image:OWASP_CSRFGuard-2.0-src.zip Click here] to download the latest OWASP CSRFGuard 2.0 source, binary, and sample configuration files '''(Recommended)'''.
+
[[File:CSRGuard.PNG|300px|thumb|left|CSRFGuard Architecture]]
  
[http://www.owasp.org/images/c/c9/CSRF_DangerDetectionDefenses.ppt Click here] to download the author's presentation at the 2007 OWASP conference in San Jose about the dangers of CSRF and a brief description of both CSRF Guard and CSRF Tester.
+
== What is CSRFGuard? ==
  
=== Version 2.2 Beta ===
+
OWASP CSRFGuard  provides:
  
 +
* A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
 +
* A JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.
  
[http://www.owasp.org/index.php/Image:OWASP-CSRFGuard-2.2-dist.jar Click here] to download the latest OWASP CSRFGuard 2.2 binary.
 
  
[http://www.owasp.org/index.php/Image:OWASP-CSRFGuard-2.2-src.zip Click here] to download the latest OWASP CSRFGuard 2.2 bundle which consists of source, binary, and sample configuration files. This includes the CSRFGuard properties file, ant build/deploy script, as well as the JSP tag definition '''(Recommended)'''.
+
== Ohloh ==
  
[http://www.owasp.org/index.php/Image:OWASP-CSRFGuard-TestApp-2.2-src.zip Click here] to download a sample web application that makes use of OWASP CSRFGuard 2.2. This version comes with the CSRFGuard binary in WEB-INF/lib but it is not guaranteed to be the latest version. Replace it with the download above. The WebContent folder contains several JSP files that were used during testing. One file, "tags.jsp", shows how to use the custom JSP tag to insert the token.
+
*https://www.ohloh.net/p/OWASP-CSRFGuard
  
[http://www.owasp.org/index.php/CSRFGuard_2.2_ChangeLog Click here] for a detailed change list of the latest version.
+
| valign="top"  style="padding-left:25px;width:200px;" |
  
[http://www.owasp.org/index.php/CSRFGuard_2.2_Configuration_Manual Click here] for the OWASP CSRFGuard configuration manual.
 
 
[http://www.owasp.org/index.php/CSRFGuard_2.2_Installation Click here] for OWASP CSRFGuard installation instructions.
 
  
[http://www.owasp.org/index.php/CSRFGuard_2.2_Tag_Usage Click here] for OWASP CSRFGuard tag library usage instructions.
+
== In Print ==
  
== Installation Instructions ==
+
This project can be purchased as a print on demand book from Lulu.com
  
[[CSRFGuard 1.x Installation|Click here]] to view the installation instructions of the OWASP CSRFGuard 1.0 series.
+
==Classifications==
  
[http://www.owasp.org/index.php/CSRFGuard_2.0_Installation Click here] to view the installation instructions of the OWASP CSRFGuard 2.0 series.
+
  {| width="200" cellpadding="2"
 +
  |-
 +
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
 +
  |-
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 +
  |}
  
== Road Map ==
+
|}
  
[https://www.owasp.org/index.php/CSRF_Guard_2.2_Roadmap Click here] to view the road map for the latest development version of CSRFGuard. Please feel free to add your own change requests or send me patches/diffs!
+
= Licensing =
  
==CSRF Testing Tool==
+
OWASP CSRFGuard 3.1 is offered under the BSD license
  
Check out the [http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project OWASP CSRF Tester] tool which allows you to test for CSRF vulnerabilities. This tool is also written in Java.
+
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
  
==CSRF Prevention Cheat Sheet ==
+
= Presentation & Manual =
  
Please see the [http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet] for more information on prevention.
+
Link to presentation
  
==Feedback and Participation ==
+
https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
  
We hope you find CSRFGuard useful. Please contribute back to the project by sending your comments, questions, and suggestions to OWASP. Thanks!
+
= Project Leader =
  
==Similar Projects==
+
The CSRFGuard project is run by [mailto:azzeddine.ramrami(at)owasp.org Azzeddine RAMRAMI].
  
There are a small number of other projects that implement the unique random request token concept similar to that of CSRFGuard. They are as follows:
+
The project co-leader is [mailto:sebastien.gioria(at)owasp.org  Sébastien Gioria].
  
:*http://www.owasp.org/index.php/PHP_CSRF_Guard
+
With the active participation of:
:*http://www.thespanner.co.uk/2007/10/19/jsck/
+
  [mailto:ahamednafeez(at)gmail.com  Ahamed Nafeez] : Security Tester & Bug Finder
:*http://www.owasp.org/index.php/.Net_CSRF_Guard
+
  [mailto:Trent.schmidt(at)gmail.com Trent Schmidt] : Release & Maven Central helper
  
==Donations==
+
== Related Projects ==
  
The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's ''spare time.'' If you have found this or any other project useful, please support OWASP with a [https://www.owasp.org/index.php/Contributions donation].
+
:*[http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project OWASP CSRFTester ] - utility to assist in the testing and generating PoC for CSRF attacks.
 +
:*[[Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet | OWASP CSRF Prevention Cheat Sheet]] - provides a more holistic overview of CSRF prevention strategies and associated frameworks.
 +
:*http://www.owasp.org/index.php/PHP_CSRF_Guard - project implementing CSRFGuard style solution for PHP.
 +
:*http://www.thespanner.co.uk/2007/10/19/jsck/ - project implementing CSRFGuard style solution for PHP and JavaScript.
 +
:*http://www.owasp.org/index.php/.Net_CSRF_Guard - project implementing CSRFGuard style solution for ASP.NET.
 +
:*https://www.owasp.org/index.php/CSRFProtector_Project - CSRF Protector Project - Implements new Anti CSRF method in web applications
  
==Project Sponsors==  
+
= Source Code Download =
  
The OWASP CSRFGuard project is lead by Eric Sheridan (eric dot sheridan at owasp dot org) and sponsored by [http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif].
+
Download and build the latest source code from GitHub :
  
[[Category:OWASP_Validation_Project]]
+
* https://github.com/aramrami/OWASP-CSRFGuard
[[Category:Java]]
+
 
[[Category:OWASP_Project|CSRFGuard Project]]
+
Download and build the latest source code from GitHub - https://github.com/aramrami/OWASP-CSRFGuard-3
[[Category:OWASP_Java_Project]]
+
 
 +
[[CSRFGuard_Deprecated_Releases | Deprecated Releases]] - article containing several download references to deprecated and officially unsupported releases
 +
 
 +
== CSRFGuard Binary in Maven Central ==
 +
 
 +
You can download a binary version from Maven Central here:
 +
 
 +
* https://oss.sonatype.org/#nexus-search;gav~~csrfguard
 +
 
 +
Thanks to Trent Schmidt and Joel Orlina (JIRA) for there help.
 +
 
 +
== User Manual(s) ==
 +
 
 +
[[CSRFGuard_3_User_Manual | OWASP CSRFGuard v3 ]] - series of articles describing the installation, configuration, and deployment of OWASP CSRFGuard v3.
 +
= News and Events =
 +
 
 +
* [08 Fev 2014] A security fix has been published. See details on GitHub
 +
* [10 Feb 2014] Release 3.1 of CSRFGuard project is now available for download
 +
* [28 Jul 2014] A new Github repository called "OWASP CSRFGuard-3" with issues management has been created
 +
=FAQs=
 +
 
 +
Here a complete CSRF attacks FAQ:
 +
 
 +
* http://www.cgisecurity.com/csrf-faq.html
 +
 
 +
= Acknowledgements =
 +
==Volunteers==
 +
 
 +
CSRFGuard is developed by a worldwide team of volunteers. The primary contributors to date have been:
 +
 
 +
* Ahamed Nafeez, Security Engineer.
 +
* Christa Erwin, Security, Programmer/Analyst.
 +
* Trent Schmidt, Release & Maven Central helper
 +
 
 +
==Others==
 +
 
 +
* Eric Sheridan was the original designer of CSRFGuard until 3.0 version.
 +
 
 +
= Road Map and Getting Involved =
 +
 
 +
As of CSRFGuard the priorities are:
 +
* Address any security vulnerabilities around javascript prototype hijacking
 +
* Support for Internet Explorer
 +
* Addressing outstanding issues listed in GitHub
 +
* Support for Multi-part requests
 +
* Add support for the 'Origin' header
 +
 
 +
Involvement in the development and promotion of CSRFGurd is actively encouraged!
 +
You do not have to be a security expert in order to contribute.
 +
Some of the ways you can help:
 +
* Make fix to the actual version
 +
* Propose a security enhcement
 +
* Write a complete Architecture Folder for CSRFGurd
 +
* Add an IA engine to detect unknown attacks.
 +
 
 +
 
 +
 
 +
=Contact US=
 +
You can sign up for the OWASP CSRFGuard email list at [https://lists.owasp.org/mailman/listinfo/owasp-csrfguard https://lists.owasp.org/mailman/listinfo/owasp-csrfguard]
 +
 
 +
__NOTOC__ <headertabs />
 +
 
 +
[[Category:OWASP Project]]
 +
[[Category:SAMM-SA-2]]

Latest revision as of 20:19, 28 March 2016

Flagship big.jpg

OWASP CSRFGuard

Welcome to the home of the OWASP CSRFGuard Project! OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.

Introduction

The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.

Description

Overview

OWASP CSRFGuard implements a variant of the synchronizer token pattern to mitigate the risk of CSRF attacks. In order to implement this pattern, CSRFGuard must offer the capability to place the CSRF prevention token within the HTML produced by the protected web application. CSRFGuard 3 provides developers more fine grain control over the injection of the token. Developers can inject the token in their HTML using either dynamic JavaScript DOM manipulation or a JSP tag library. CSRFGuard no longer intercepts and modifies the HttpServletResponse object as was done in previous releases. The currently available token injection strategies are designed to make the integration of CSRFGuard more feasible and scalable within current enterprise web applications. Developers are encouraged to make use of both the JavaScript DOM Manipulation and the JSP tag library strategies for a complete token injection strategy. The JavaScript DOM Manipulation strategy is ideal as it is automated and requires minimal effort on behalf of the developer. In the event the JavaScript solution is insufficient within a particular application context, developers should leverage the JSP tag library. The purpose of this article is to describe the token injection strategies offered by OWASP CSRFGuard 3.

JavaScript DOM Manipulation

OWASP CSRFGuard 3 supports the ability to dynamically inject CSRF prevention tokens throughout the DOM currently loaded in the user's browser. This strategy is extremely valuable with regards to server-side performance as it simply requires the serving of a dynamic JavaScript file. There is little to no performance hit when the fetched dynamic JavaScript updates the browser's DOM. Making use of the JavaScript token injection solution requires the developer map a Servlet and place a JavaScript HTML tag within all pages sending requests to protected application resources. Developers are strongly encouraged to leverage the JavaScript token injection strategy by default. This strategy requires minimal effort on behalf of the developer as most of the token injection logic is automated. In the event that the JavaScript automated solution may be insufficient for a specific application context, developers should leverage the OWASP CSRFGuard JSP tag library.

Note: Use of JavaScript DOM Manipulation is required for Ajax support.


CSRFGuard Architecture

What is CSRFGuard?

OWASP CSRFGuard provides:

  • A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
  • A JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.


Ohloh


In Print

This project can be purchased as a print on demand book from Lulu.com

Classifications

Owasp-flagship-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

OWASP CSRFGuard 3.1 is offered under the BSD license

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

The CSRFGuard project is run by Azzeddine RAMRAMI.

The project co-leader is Sébastien Gioria.

With the active participation of:

 Ahamed Nafeez : Security Tester & Bug Finder
 Trent Schmidt : Release & Maven Central helper 

Related Projects

Download and build the latest source code from GitHub :

Download and build the latest source code from GitHub - https://github.com/aramrami/OWASP-CSRFGuard-3

Deprecated Releases - article containing several download references to deprecated and officially unsupported releases

CSRFGuard Binary in Maven Central

You can download a binary version from Maven Central here:

Thanks to Trent Schmidt and Joel Orlina (JIRA) for there help.

User Manual(s)

OWASP CSRFGuard v3 - series of articles describing the installation, configuration, and deployment of OWASP CSRFGuard v3.

  • [08 Fev 2014] A security fix has been published. See details on GitHub
  • [10 Feb 2014] Release 3.1 of CSRFGuard project is now available for download
  • [28 Jul 2014] A new Github repository called "OWASP CSRFGuard-3" with issues management has been created

Here a complete CSRF attacks FAQ:

Volunteers

CSRFGuard is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • Ahamed Nafeez, Security Engineer.
  • Christa Erwin, Security, Programmer/Analyst.
  • Trent Schmidt, Release & Maven Central helper

Others

  • Eric Sheridan was the original designer of CSRFGuard until 3.0 version.

As of CSRFGuard the priorities are:

  • Address any security vulnerabilities around javascript prototype hijacking
  • Support for Internet Explorer
  • Addressing outstanding issues listed in GitHub
  • Support for Multi-part requests
  • Add support for the 'Origin' header

Involvement in the development and promotion of CSRFGurd is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • Make fix to the actual version
  • Propose a security enhcement
  • Write a complete Architecture Folder for CSRFGurd
  • Add an IA engine to detect unknown attacks.


You can sign up for the OWASP CSRFGuard email list at https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

Pages in category "OWASP CSRFGuard Project"

The following 4 pages are in this category, out of 4 total.