[Owasp-leaders] OWASP CSRFGuard (ALPHA) Released!

eric sheridan eric.sheridan at owasp.org
Wed Dec 15 20:30:45 EST 2010


Your feedback would be greatly appreciated! There are a lot of security
updates to this JS code, both to defend against CSRF attacks and to defend
against JavaScript Hijacking attacks that may attempt to steal the token.
Thanks for testing this out and let me know how it goes in ModSecurity.


On Wed, Dec 15, 2010 at 8:26 PM, Ryan Barnett <ryan.barnett at owasp.org>wrote:

> Hey Eric,
> You may remember - I have included the csrf js file code in the owasp
> ModSecurity core rule set project. ModSecurity is able to do content
> injection and append the js code to the bottom of HTML response bodies on
> the fly. ModSecurity creates the tokens and validates them on subsequent
> requests.
> Anyways - I will try out the new JS code to see if it still works for my
> implementation.
> Thanks!
> --
> Ryan Barnett
> On Dec 15, 2010, at 8:10 PM, "eric sheridan" <eric.sheridan at owasp.org>
> wrote:
> It is with great pride that I announce the release of OWASP CSRFGuard
> (ALPHA)! This is a development release of the v3 series that is in
> need of peer review, testing, and general feedback in preparation for BETA.
> There are several significant new features that are in need of testing in
> the enterprise development environments. Please contact me for support if
> you are interested in testing the latest release. Of course, I am always
> open to questions, comments, or feature requests! Please check out the
> project home page (<http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project>
> http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project) and User
> Manual ( <http://www.owasp.org/index.php/CSRFGuard_3_User_Manual>
> http://www.owasp.org/index.php/CSRFGuard_3_User_Manual) for more
> information about how to install, configure, and deploy the OWASP CSRFGuard
> library.
> OWASP CSRFGuard has been completely rewritten to address the various
> feature requests and bug fixes submitted to me over the past couple years.
> No longer will CSRFGuard be referred to as just a "reference
> implementation". By addressing the performance and scalability
> issues plaguing older releases, OWASP CSRFGuard v3 is intended to serve as
> the de-facto standard prevention mechanism against CSRF attacks for JavaEE
> web applications. The following is a bulleted summary of the significant
> changes associated with the v3 release:
> * OWASP CSRFGuard is now available under the much more liberal BSD license
> * Owasp.CsrfGuard.properties file can be loaded from classpath, web context
> directory, or current directory
> * Developers can implement a custom logger to be consumed by the library
> * Experimental support for the rotation of CSRF tokens once the previous
> token is expired
> * Experimental support for creating and verifying unique CSRF tokens per
> page
> * Experimental support for Ajax through the verification of headers
> dynamically injected by CSRFGuard JavaScript
> * Configurable actions including Log, Invalidate, Redirect, Forward,
> RequestAttribute, and SessionAttribute
> * Unprotected pages can be captured using same syntax used by the JavaEE
> container in web.xml
> * Library no longer intercepts HTTP responses produced by the web
> application
> * Developers can manually inject CSRF prevention tokens using the JSP tag
> library
> * Developers can automate injection of CSRF prevention tokens using dynamic
> JavaScript DOM Manipulation
> * Tokens are only injected into HTML elements that submit requests to the
> current origin (planned for XHR)
> * JavaScript token injection can be configured to inject into links, forms,
> and XMLHttpRequests
> Please check out the following resources for more information regarding
> recent project updates:
> Project Page -
> <http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project>
> http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
> User Manual - <http://www.owasp.org/index.php/CSRFGuard_3_User_Manual>
> http://www.owasp.org/index.php/CSRFGuard_3_User_Manual
> Code Repository - <http://code.google.com/p/owaspcsrfguard/>
> http://code.google.com/p/owaspcsrfguard/
> Blog - <http://ericsheridan.blogspot.com/>
> http://ericsheridan.blogspot.com/
> -Eric
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101215/ed3483f6/attachment.html 

More information about the OWASP-Leaders mailing list