This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "CSRFProtector Project"

From OWASP
Jump to: navigation, search
(Updated download link and text)
 
(11 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
+
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
  
 
==OWASP CSRF Protector Project==
 
==OWASP CSRF Protector Project==
Line 17: Line 17:
 
<li><b>php library: </b> A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
 
<li><b>php library: </b> A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. [https://github.com/mebjas/CSRF-Protector-PHP/wiki View More]
 
</li>
 
</li>
 +
<br>
 +
Its based on the research paper [http://www3.cs.stonybrook.edu/~rpelizzi/jcsrf.pdf A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011]
 +
 
==Why CSRF Protector?==
 
==Why CSRF Protector?==
 
CSRF Protector is suitable for three group of developers:
 
CSRF Protector is suitable for three group of developers:
Line 26: Line 29:
 
==Project leader==
 
==Project leader==
  
[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]
+
*[[User:A_V_Minhaz|Minhaz]]
 +
 
 +
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
  
| valign="top"  style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
 
 
==How to use==
 
==How to use==
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use]<br>
+
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use See github wiki - How to use]<br>
 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
 
[https://github.com/mebjas/CSRF-Protector-PHP/wiki/ Gihub wiki]
 
==Major Contributors==
 
==Major Contributors==
 
*[[User:A_V_Minhaz|Minhaz]]
 
*[[User:A_V_Minhaz|Minhaz]]
 
*[[User:Kevin_W._Wall|Kevin W Wall]]
 
*[[User:Kevin_W._Wall|Kevin W Wall]]
 +
*[[User:Abbas Naderi|Abbas Naderi]]
 
*[[User:Jmanico|Jim Manico]]
 
*[[User:Jmanico|Jim Manico]]
 
*Abhinav Dahiya
 
*Abhinav Dahiya
Line 50: Line 55:
 
To contribute to the code fork and send a pull to:<br>
 
To contribute to the code fork and send a pull to:<br>
 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library]<br>
 
[https://github.com/mebjas/CSRF-Protector-PHP GitHub Repo - php library]<br>
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]
+
[https://github.com/mebjas/mod_csrfprotector GitHub Repo - Apache module]<br>
 +
[https://todofy.org/r/mebjas/CSRF-Protector-PHP Todofy - php library]<br>
 +
[https://todofy.org/r/mebjas/mod_csrfprotector Todofy - Apache module]
  
 
For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]
 
For discussions, join our mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector - Mailing List]
  
 +
| valign="top" style="padding-left:25px;width:200px;" |
  
 
| valign="top"  style="padding-left:25px;width:200px;" |
 
 
== Salient Features ==
 
== Salient Features ==
 
* Easy to integrate
 
* Easy to integrate
Line 64: Line 70:
  
 
== Quick Download ==
 
== Quick Download ==
[https://github.com/mebjas/CSRF-Protector-PHP/releases/tag/v0.1.0 CSRF Protector PHP library]
+
[https://github.com/mebjas/CSRF-Protector-PHP/releases CSRFProtector PHP]
  
 
== Quick Links ==
 
== Quick Links ==
[http://cistoner.org/minhaz/wp-content/uploads/2014/11/owasp.key CSRFProtector.key]<br>
+
- [http://www.slideshare.net/MinhazAv/csrf-protector SlideShare Deck]
[http://cistoner.org/minhaz/wp-content/uploads/2014/11/owasp.pptx CSRFProtector.pptx]
+
 
 
== News and Events ==
 
== News and Events ==
  
Line 74: Line 80:
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
 
   |-
 
   |-
   | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
+
   | rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]   
+
   | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]   
 
   |-
 
   |-
   | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
+
   | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
+
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 
   |}
 
   |}
  
 
|}
 
|}
 
  
 
= Apache Module =
 
= Apache Module =
Line 90: Line 95:
 
{{:CSRF_Protector_php_library}}
 
{{:CSRF_Protector_php_library}}
  
__NOTOC__ <headertabs />  
+
__NOTOC__ <headertabs></headertabs>  
  
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]
+
[[Category:OWASP Project]]   
 +
[[Category:OWASP_Builders]]  
 +
[[Category:OWASP_Defenders]]  
 +
[[Category:OWASP_Document]]  
 +
[[Category:OWASP_Download]]

Latest revision as of 22:12, 15 March 2018

OWASP CSRF Protector Project

OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

GitHub Repo - php library
GitHub Repo - Apache module


What is CSRF Protector?

CSRF Protector Project has two parts:

  • Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
  • php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function. View More

  • Its based on the research paper A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011

    Why CSRF Protector?

    CSRF Protector is suitable for three group of developers:

    • Framework Developers can use the libraries and tools to strengthen their framework security
    • PHP Application Developers can use the library and tools to enhance their application security
    • New PHP Developers can use the tools and libraries to create secure applications from scratch

    Project leader

    How to use

    See github wiki - How to use
    Gihub wiki

    Major Contributors

    Features Offered

    CSRF Protection provide protection for:

    • Normal HTML forms (POST/GET)
    • Normal Get requests (Not enabled by default)
    • Ajax Requests (XHR)
    • Dynamically generated forms

    Damages Mitigated

    • Cross Site Request Forgery

    Get Involved

    To contribute to the code fork and send a pull to:
    GitHub Repo - php library
    GitHub Repo - Apache module
    Todofy - php library
    Todofy - Apache module

    For discussions, join our mailing list: - Mailing List

    Salient Features

    • Easy to integrate
    • Support for AJAX & GET requests
    • Per request token used
    • Cross Domain Support (Next version)

    Quick Download

    CSRFProtector PHP

    Quick Links

    - SlideShare Deck

    News and Events

    Classifications

    Owasp-incubator-trans-85.png Owasp-builders-small.png
    Owasp-defenders-small.png
    Cc-button-y-sa-small.png

    mod_csrfprotector - Apache 2.x.x Modules for mitigating CSRF attacks

    What is mod_csrfprotector

    Its an Apache 2.x.x Module (Currently 2.2.x) under development. It can be installed and configured in any Apache Server to protect it against Cross Site Request Forgery attacks. mod_csrfprotector provides protection to both POST and GET requests (not enabled by default).

    How mod_csrfprotector works?

    Once installed in Apache Server, every request that is made to the server, and validated against CSRF attacks by the input filters. Input filter follows a protocol as mentioned by developer in configuration, which helps the module to decide weather to validated the request. The input filter checks for appropriate token sent with request. Request if forwarded to other filters or content generator (like php or cgi) in validation is successful. Otherwise, appropriate actions are taken as per configuration. For ex: 403, Forbidden header is send to client. The Output filter, checks for content type of output generated by content generator and if it is `text/html` or `text/xhtml` it appends javascript code to the output. This js code in client side is responsible for attaching CSRFP_token with every required request sent from client.

    Features Offered

    CSRF Protection provide protection for:

    • Normal HTML forms (POST/GET)
    • Normal Get requests (Not enabled by default)
    • Ajax Requests (XHR)
    • Dynamically generated forms

    Damages Mitigated

    • Cross Site Request Forgery

    How to contribute

    To contribute to the code fork and send a pull to:
    GitHub Repo - mod_csrfprotector

    For discussions, join our mailing list: - Mailing List

    TODOs

    All todos for mod_csrfprotector are listed at: todofy: mod_csrfprotector

    Current Status

    Under Development

    CSRF Protector php library - Standalone php library for mitigating CSRF vulnerability

    What is CSRF Protector php library

    Its a standalone php library for mitigating Cross Site Request Forgery (CSRF) vulnerabilities in web applications, which can be used with any existing web application or while developing a new one. More information available at github wiki

    Features Offered

    CSRF Protection provide protection for:

    • Normal HTML forms (POST/GET)
    • Normal Get requests (Not enabled by default)
    • Ajax Requests (XHR)
    • Dynamically generated forms

    Damages Mitigated

    • Cross Site Request Forgery

    How to contribute

    To contribute to the code fork and send a pull to:
    GitHub Repo

    For discussions, join our mailing list: - Mailing List

    Current Status

    Version 1.0.0 Released!

    TODOs

    All todos for CSRF Protector PHP are listed at: todofy - CSRF Protector PHP

    Download Now

    - CSRFP php master code