[Owasp-csrfprotector] CSRF Protector Plugin for wordpress

Minhaz A V minhazav at gmail.com
Fri Feb 13 16:51:11 UTC 2015


Hi Everyone,
Hope you are doing something awesome!!

I have been thinking about this for long, and started writing the plugin
today, after I came across an article meant for *Wordpress* plugin
developers. It stated that plugin developers should protect the *forms *in
the plugin against CSRF by calling methods like wp_nonce_field(),
wp_verify_nonce(),
etc distinctly for every other forms. Now thats exactly what CSRF Protector
aimed to fix!
Also, there are references to lot of Wordpress plugins vulnerable to CSRF,
in the exploit-db, and installing such plugins make the whole admin panel
vulnerable. Installing the plugin with CSRFP would ensure CSRF mitigation
even if there is some vulnerable plugin installed.
Also I once had a chat with Wordpress security team where they asked me to
implement CSRFP as a plugin and said if it goes well they might implement
it as default anti-CSRF method.

So I have implemented, it as a plugin, and it works well for all POST
request in admin panel, need to implement it for certain GET (as plugins
might introduce actions by clicking on links, but identifying such links
could be a challenge).

Its available at: https://github.com/mebjas/WP-CSRF-Protector
So if any one is interested, have a look! {Feedbacks || suggestions ||
bugs} are welcome!!


References:
1. Link to project on github: https://github.com/mebjas/WP-CSRF-Protector
2. exploit-db {{ CSRF + Wordpress
<http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=wordpress&filter_exploit_text=csrf&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=>
}}

Seems to be a long mail now :D
Thanks!
----------------------------------------------------------------------------
Kind Regards,
Minhaz | My Projects <http://cistoner.org/projects> | M
<http://cistoner.org/minhaz/>y blog <http://cistoner.org/minhaz/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfprotector/attachments/20150213/8f3a54e9/attachment.html>


More information about the Owasp-csrfprotector mailing list