This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CSRF Mitigation methods"
From OWASP
A V Minhaz (talk | contribs) |
A V Minhaz (talk | contribs) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
[[Category:OWASP ASDR Project]] | [[Category:OWASP ASDR Project]] | ||
<br> | <br> | ||
| − | + | ===Note=== | |
| + | This wiki is currently incomplete! Feel free to contribute! | ||
| + | |||
===Overview=== | ===Overview=== | ||
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. | CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. | ||
| Line 12: | Line 14: | ||
===OWASP CSRF Protector Project=== | ===OWASP CSRF Protector Project=== | ||
| − | OWASP CSRF Protector | + | OWASP CSRF Protector is a new anti CSRF method to mitigate CSRF based attacks in web applications. It comes in two parts : |
* <b>Standalone php library: </b> This library can be both easily integrated with both existing web application or easily used while developing a new one. | * <b>Standalone php library: </b> This library can be both easily integrated with both existing web application or easily used while developing a new one. | ||
* <b>Transparent Apache Module: </b> Can be installed on Apache 2.x.x servers to provide CSRF mitigation without doing any modification in web application logic or codes. | * <b>Transparent Apache Module: </b> Can be installed on Apache 2.x.x servers to provide CSRF mitigation without doing any modification in web application logic or codes. | ||
| Line 42: | Line 44: | ||
| Yes (Separate version supporting NoJS) | | Yes (Separate version supporting NoJS) | ||
| No | | No | ||
| + | |- | ||
| + | | More Information | ||
| + | | [https://www.owasp.org/index.php/CSRFProtector_Project Wiki] [https://github.com/mebjas/CSRF-Protector-PHP Github Repository] | ||
| + | | [https://www.owasp.org/index.php/CSRFProtector_Project Wiki] [https://github.com/mebjas/mod_csrfprotector Github Repository] | ||
|} | |} | ||
===OWASP CSRF Guard Project=== | ===OWASP CSRF Guard Project=== | ||
| − | + | The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. It comes in two parts: | |
| + | * A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks. | ||
| + | * A JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! Properties / Tool | ||
| + | ! CSRF Guard | ||
| + | |- | ||
| + | | Dependencies | ||
| + | | - | ||
| + | |- | ||
| + | | Works with | ||
| + | | - | ||
| + | |- | ||
| + | | Current Status | ||
| + | | - | ||
| + | |- | ||
| + | | Protection | ||
| + | | - | ||
| + | |- | ||
| + | | NOJS Support | ||
| + | | - | ||
| + | |- | ||
| + | | More Information | ||
| + | | [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project Wiki] [https://github.com/aramrami/OWASP-CSRFGuard-3 Github Repository] | ||
| + | |} | ||
Latest revision as of 20:20, 20 September 2014
- This is an Attack. To view all attacks, please see the Attack Category page.
Note
This wiki is currently incomplete! Feel free to contribute!
Overview
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
For more information on CSRF visit:
OWASP CSRF Protector Project
OWASP CSRF Protector is a new anti CSRF method to mitigate CSRF based attacks in web applications. It comes in two parts :
- Standalone php library: This library can be both easily integrated with both existing web application or easily used while developing a new one.
- Transparent Apache Module: Can be installed on Apache 2.x.x servers to provide CSRF mitigation without doing any modification in web application logic or codes.
Features
| Properties / Tool | CSRF Protector - php library | mod_csrfprotector apache module |
|---|---|---|
| Dependencies | None | None |
| Works with | php >= 4.3 | Apache 2.2.x |
| Current Status | Alpha Version released | Alpha Version released |
| Protection | CSRF Protection for php web applications | CSRF Protection for apache 2.2.x servers, irrespective of languages used as server side script! |
| NOJS Support | Yes (Separate version supporting NoJS) | No |
| More Information | Wiki Github Repository | Wiki Github Repository |
OWASP CSRF Guard Project
The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. It comes in two parts:
- A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
- A JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.
| Properties / Tool | CSRF Guard |
|---|---|
| Dependencies | - |
| Works with | - |
| Current Status | - |
| Protection | - |
| NOJS Support | - |
| More Information | Wiki Github Repository |
