[Owasp-poa] Fwd: [Owasp-leaders] OWASP CSRFGuard 3.0.0.336 (ALPHA) Released!
L. Gustavo C. Barbato
lgbarbato at owasp.org
Thu Dec 16 08:25:15 EST 2010
FYI
L. *Gustavo* C. *Barbato*, Ph.D.
Chapter Leader, OWASP Porto Alegre / *Brazil*
Global Chapter Committee Member
http://www.owasp.org/index.php/User:Gustavo_Barbato
-------- Original Message --------
Subject: [Owasp-leaders] OWASP CSRFGuard 3.0.0.336 (ALPHA) Released!
Date: Wed, 15 Dec 2010 20:10:01 -0500
From: eric sheridan <eric.sheridan at owasp.org>
Reply-To: owasp-leaders at lists.owasp.org
To: owasp-csrfguard List <owasp-csrfguard at lists.owasp.org>,
owasp-leaders at lists.owasp.org, websecurity at webappsec.org
It is with great pride that I announce the release of OWASP CSRFGuard
3.0.0.336 (ALPHA)! This is a development release of the v3 series that
is in need of peer review, testing, and general feedback in preparation
for BETA. There are several significant new features that are in need of
testing in the enterprise development environments. Please contact me
for support if you are interested in testing the latest release. Of
course, I am always open to questions, comments, or feature requests!
Please check out the project home
page (http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project)
and User Manual
(http://www.owasp.org/index.php/CSRFGuard_3_User_Manual) for more
information about how to install, configure, and deploy the OWASP
CSRFGuard library.
OWASP CSRFGuard has been completely rewritten to address the various
feature requests and bug fixes submitted to me over the past
couple years. No longer will CSRFGuard be referred to as just a
"reference implementation". By addressing the performance and
scalability issues plaguing older releases, OWASP CSRFGuard v3 is
intended to serve as the de-facto standard prevention mechanism against
CSRF attacks for JavaEE web applications. The following is a bulleted
summary of the significant changes associated with the v3 release:
* OWASP CSRFGuard is now available under the much more liberal BSD license
* Owasp.CsrfGuard.properties file can be loaded from classpath, web
context directory, or current directory
* Developers can implement a custom logger to be consumed by the library
* Experimental support for the rotation of CSRF tokens once the previous
token is expired
* Experimental support for creating and verifying unique CSRF tokens per
page
* Experimental support for Ajax through the verification of headers
dynamically injected by CSRFGuard JavaScript
* Configurable actions including Log, Invalidate, Redirect, Forward,
RequestAttribute, and SessionAttribute
* Unprotected pages can be captured using same syntax used by the JavaEE
container in web.xml
* Library no longer intercepts HTTP responses produced by the web
application
* Developers can manually inject CSRF prevention tokens using the JSP
tag library
* Developers can automate injection of CSRF prevention tokens using
dynamic JavaScript DOM Manipulation
* Tokens are only injected into HTML elements that submit requests to
the current origin (planned for XHR)
* JavaScript token injection can be configured to inject into links,
forms, and XMLHttpRequests
Please check out the following resources for more information regarding
recent project updates:
Project Page -
http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
User Manual - http://www.owasp.org/index.php/CSRFGuard_3_User_Manual
Code Repository - http://code.google.com/p/owaspcsrfguard/
Blog - http://ericsheridan.blogspot.com/
-Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-poa/attachments/20101216/dacfa3fc/attachment.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Attached Message Part
Url: https://lists.owasp.org/pipermail/owasp-poa/attachments/20101216/dacfa3fc/attachment.pl
More information about the Owasp-poa
mailing list