This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

CSRFProtector Project

From OWASP
Revision as of 11:52, 24 June 2014 by A V Minhaz (talk | contribs)

Jump to: navigation, search

OWASP CSRF Protector Project

OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery, providing php library and an Apache Module (to be used differently) for easy mitigation.

GitHub Repo - php library
GitHub Repo - Apache module


What is CSRF Protector?

CSRF Protector Project has two parts:

  • Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
  • php library: A standalone php library which can be integrated with any existing web application or used while creating a new php project. All developer need to do is include the library and call the initiating function.
  • Why CSRF Protector?

    CSRF Protector is suitable for three group of developers:

    • Framework Developers can use the libraries and tools to strengthen their framework security
    • PHP Application Developers can use the library and tools to enhance their application security
    • New PHP Developers can use the tools and libraries to create secure applications from scratch

    Project leader

    Abbas Naderi

    Major Contributors

    Features Offered

    CSRF Protection provide protection for:

    • Normal HTML forms (POST/GET)
    • Normal Get requests (Not enabled by default)
    • Ajax Requests (XHR)
    • Dynamically generated forms

    Damages Mitigated

    • Cross Site Request Forgery

    Quick Download

    Website

    News and Events

    Classifications

    Owasp-incubator-trans-85.png Owasp-builders-small.png
    Owasp-defenders-small.png
    Cc-button-y-sa-small.png


    mod_csrfprotector - Apache 2.x.x Modules for mitigating CSRF attacks

    What is mod_csrfprotector

    Its an Apache 2.x.x Module (Currently 2.2.x) under development. It can be installed and configured in any Apache Server to protect it against Cross Site Request Forgery attacks. mod_csrfprotector provides protection to both POST and GET requests (not enabled by default).

    How mod_csrfprotector works?

    Once installed in Apache Server, every request that is made to the server, and validated against CSRF attacks by the input filters. Input filter follows a protocol as mentioned by developer in configuration, which helps the module to decide weather to validated the request. The input filter checks for appropriate token sent with request. Request if forwarded to other filters or content generator (like php or cgi) in validation is successful. Otherwise, appropriate actions are taken as per configuration. For ex: 403, Forbidden header is send to client. The Output filter, checks for content type of output generated by content generator and if it is `text/html` or `text/xhtml` it appends javascript code to the output. This js code in client side is responsible for attaching CSRFP_token with every required request sent from client.

    Features Offered

    CSRF Protection provide protection for:

    • Normal HTML forms (POST/GET)
    • Normal Get requests (Not enabled by default)
    • Ajax Requests (XHR)
    • Dynamically generated forms

    Damages Mitigated

    • Cross Site Request Forgery

    How to contribute

    To contribute to the code fork and send a pull to:
    GitHub Repo - mod_csrfprotector

    For discussions, join our mailing list: - Mailing List

    TODOs

    All todos for mod_csrfprotector are listed at: todofy: mod_csrfprotector

    Current Status

    Under Development

    CSRF Protector php library - Standalone php library for mitigating CSRF vulnerability

    What is CSRF Protector php library

    Its a standalone php library for mitigating Cross Site Request Forgery (CSRF) vulnerabilities in web applications, which can be used with any existing web application or while developing a new one. More information available at github wiki

    Features Offered

    CSRF Protection provide protection for:

    • Normal HTML forms (POST/GET)
    • Normal Get requests (Not enabled by default)
    • Ajax Requests (XHR)
    • Dynamically generated forms

    Damages Mitigated

    • Cross Site Request Forgery

    How to contribute

    To contribute to the code fork and send a pull to:
    GitHub Repo

    For discussions, join our mailing list: - Mailing List

    Current Status

    Version 1.0.0 Released!

    TODOs

    All todos for CSRF Protector PHP are listed at: todofy - CSRF Protector PHP

    Download Now

    - CSRFP php master code