[Owasp-csrfprotector] CSRF Protector Plugin for wordpress

Minhaz A V minhazav at gmail.com
Fri Feb 13 17:49:54 UTC 2015


Yeah, that seems cool to me!
Would collect few such plugins and test them without and with it!

Thanks!

----------------------------------------------------------------------------
Kind Regards,
Minhaz | My Projects <http://cistoner.org/projects> | M
<http://cistoner.org/minhaz/>y blog <http://cistoner.org/minhaz/>

On Fri, Feb 13, 2015 at 10:48 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> This is interesting work Minhaz.
> I believe to increase its impact, you need to do an study. Obtain some
> vulnerable plugins (say, 20) and install them on a system. Enable them one
> by one and check whether the CSRF vulnerability exists or not. Then try to
> use their features manually, to make sure that the protection is not
> breaking anything. Publishing this study would definitely increase impact
> and trust of such prevention measures.
> Regards
> -Abbas
>
> On Feb 13, 2015, at 11:51 AM, Minhaz A V <minhazav at gmail.com> wrote:
>
> Hi Everyone,
> Hope you are doing something awesome!!
>
> I have been thinking about this for long, and started writing the plugin
> today, after I came across an article meant for *Wordpress* plugin
> developers. It stated that plugin developers should protect the *forms *in
> the plugin against CSRF by calling methods like wp_nonce_field(), wp_verify_nonce(),
> etc distinctly for every other forms. Now thats exactly what CSRF
> Protector aimed to fix!
> Also, there are references to lot of Wordpress plugins vulnerable to CSRF,
> in the exploit-db, and installing such plugins make the whole admin panel
> vulnerable. Installing the plugin with CSRFP would ensure CSRF mitigation
> even if there is some vulnerable plugin installed.
> Also I once had a chat with Wordpress security team where they asked me to
> implement CSRFP as a plugin and said if it goes well they might implement
> it as default anti-CSRF method.
>
> So I have implemented, it as a plugin, and it works well for all POST
> request in admin panel, need to implement it for certain GET (as plugins
> might introduce actions by clicking on links, but identifying such links
> could be a challenge).
>
> Its available at: https://github.com/mebjas/WP-CSRF-Protector
> So if any one is interested, have a look! {Feedbacks || suggestions ||
> bugs} are welcome!!
>
>
> References:
> 1. Link to project on github: https://github.com/mebjas/WP-CSRF-Protector
> 2. exploit-db {{ CSRF + Wordpress
> <http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=wordpress&filter_exploit_text=csrf&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=>
> }}
>
> Seems to be a long mail now :D
> Thanks!
>
> ----------------------------------------------------------------------------
> Kind Regards,
> Minhaz | My Projects <http://cistoner.org/projects> | M
> <http://cistoner.org/minhaz/>y blog <http://cistoner.org/minhaz/>
>  _______________________________________________
> Owasp-csrfprotector mailing list
> Owasp-csrfprotector at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfprotector/attachments/20150213/0ad5a385/attachment-0001.html>


More information about the Owasp-csrfprotector mailing list