[Owasp-csrfprotector] protection for GET requests

Minhaz A V minhazav at gmail.com
Thu May 29 18:39:05 UTC 2014


Hi,
I did implementation of this part in another branch of the repo
in configuration I used, regex like:
https://github.com/mebjas/CSRF-Protector-PHP/blob/GET-support/libs/config.php#L17

in the library I have used functions to check if we need to validate
current GET request for CSRF attack:
https://github.com/mebjas/CSRF-Protector-PHP/blob/GET-support/libs/csrf/csrfprotector.php#L364

This function can be overridden by the developer and thus developer can
easily develop the protocol to check if the request should be validated for
a GET request or not, otherwise use one provided with CSRFP.

I'd like to know, how do you think about this mechanism?






Minhaz,
minhaz.cistoner.org || cistoner.org


On Mon, May 26, 2014 at 4:21 AM, Minhaz A V <minhazav at gmail.com> wrote:

> Also this would require us to rewrite only requests (in case of GET) which
> are sent to these urls be rewritten,  or we rewrite every url as having an
> extra parameter in the request url won't be harmful (but I guess that would
> be a very bad practise)
>
> For this we need to pass the logic to js also, so that it identifies which
> request to rewrite, any simple idea on how to do this?
>
>
> Minhaz,
> minhaz.cistoner.org || cistoner.org
>
>
> On Mon, May 26, 2014 at 4:15 AM, Minhaz A V <minhazav at gmail.com> wrote:
>
>> Yeah this is a better idea, rather than implementing the logic directly
>> into the validation code,
>> we can provide a function which can be overridden by user defined
>> function. In basic method we can provide mechanism that is in our scope i.e
>> to map the current request url with all mentioned in array of urls to be
>> validated.
>>
>>
>> Minhaz,
>> minhaz.cistoner.org || cistoner.org
>>
>>
>> On Mon, May 26, 2014 at 4:05 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>>
>>> What if the application uses dynamic URLs? What if it has so many URLs
>>> that need to be verified, and only one not to be verified?
>>>
>>> We can expect the develoepr to create a function that receives a URL,
>>> and returns true if it needs to be CSRF protected and false otherwise, and
>>> then use that function to decide what to do.
>>>
>>> A list can easily be implemented using that as well.
>>> -A
>>>      ______________________________________________________________
>>> *Notice:* This message is *digitally signed*, its *source* and
>>> *integrity* are verifiable.
>>> If you mail client does not support S/MIME verification, it will display
>>> a file (smime.p7s), which includes the X.509 certificate and the signature
>>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>> AbiusX.com
>>>
>>> On May 25, 2014, at 6:34 PM, Minhaz A V <minhazav at gmail.com> wrote:
>>>
>>> Abbas, I couldn't get you?
>>>
>>>
>>>
>>> Minhaz,
>>> minhaz.cistoner.org || cistoner.org
>>>
>>>
>>> On Mon, May 26, 2014 at 3:59 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>
>>>> A list is not the best idea, but a function that returns true or false
>>>> and is implemented by the developer is a totally different story!
>>>> -A
>>>>      ______________________________________________________________
>>>> *Notice:* This message is *digitally signed*, its *source* and
>>>> *integrity* are verifiable.
>>>> If you mail client does not support S/MIME verification, it will
>>>> display a file (smime.p7s), which includes the X.509 certificate and the
>>>> signature body.  Read more at Certified E-Mail with Comodo and
>>>> Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>>> AbiusX.com <http://abiusx.com/>
>>>>
>>>> On May 25, 2014, at 6:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>>>
>>>> What if we keep a list of specific urls for which developer want to
>>>> check for CSRF validation in GET requests, this would create no false
>>>> positive or false negative. As GET requests to only certain urls can be
>>>> vulnerable. If developer can identify this, we can map every host url in
>>>> request, with list the developer has maintained and provide validation for
>>>> those only. But this will complicate the logic to certain extend, but we
>>>> can implement this!
>>>>
>>>>
>>>> Great idea, I like it.
>>>> - Jim
>>>>
>>>>
>>>>
>>>> Minhaz,
>>>> minhaz.cistoner.org || cistoner.org
>>>>
>>>> _______________________________________________
>>>> Owasp-csrfprotector mailing list
>>>> Owasp-csrfprotector at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector
>>>>
>>>> _______________________________________________
>>>> Owasp-csrfprotector mailing list
>>>> Owasp-csrfprotector at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector
>>>>
>>>>
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfprotector/attachments/20140530/67e139f0/attachment-0001.html>


More information about the Owasp-csrfprotector mailing list