[Owasp-csrfprotector] CSRF Protector Plugin for wordpress

Abbas Naderi abiusx at owasp.org
Fri Feb 13 17:18:16 UTC 2015

This is interesting work Minhaz.
I believe to increase its impact, you need to do an study. Obtain some vulnerable plugins (say, 20) and install them on a system. Enable them one by one and check whether the CSRF vulnerability exists or not. Then try to use their features manually, to make sure that the protection is not breaking anything. Publishing this study would definitely increase impact and trust of such prevention measures.

> On Feb 13, 2015, at 11:51 AM, Minhaz A V <minhazav at gmail.com> wrote:
> Hi Everyone,
> Hope you are doing something awesome!!
> I have been thinking about this for long, and started writing the plugin today, after I came across an article meant for Wordpress plugin developers. It stated that plugin developers should protect the forms in the plugin against CSRF by calling methods like wp_nonce_field(), wp_verify_nonce(), etc distinctly for every other forms. Now thats exactly what CSRF Protector aimed to fix!
> Also, there are references to lot of Wordpress plugins vulnerable to CSRF, in the exploit-db, and installing such plugins make the whole admin panel vulnerable. Installing the plugin with CSRFP would ensure CSRF mitigation even if there is some vulnerable plugin installed.
> Also I once had a chat with Wordpress security team where they asked me to implement CSRFP as a plugin and said if it goes well they might implement it as default anti-CSRF method.
> So I have implemented, it as a plugin, and it works well for all POST request in admin panel, need to implement it for certain GET (as plugins might introduce actions by clicking on links, but identifying such links could be a challenge).
> Its available at: https://github.com/mebjas/WP-CSRF-Protector <https://github.com/mebjas/WP-CSRF-Protector>
> So if any one is interested, have a look! {Feedbacks || suggestions || bugs} are welcome!!
> References:
> 1. Link to project on github: https://github.com/mebjas/WP-CSRF-Protector <https://github.com/mebjas/WP-CSRF-Protector>
> 2. exploit-db {{ CSRF + Wordpress <http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=wordpress&filter_exploit_text=csrf&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=> }}
> Seems to be a long mail now :D
> Thanks!
> ----------------------------------------------------------------------------
> Kind Regards,
> Minhaz | My Projects <http://cistoner.org/projects> | M <http://cistoner.org/minhaz/>y blog <http://cistoner.org/minhaz/>_______________________________________________
> Owasp-csrfprotector mailing list
> Owasp-csrfprotector at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfprotector/attachments/20150213/9d485d9f/attachment.html>

More information about the Owasp-csrfprotector mailing list