[Owasp-leaders] How CSRFGuard Protects Ajax

eric sheridan eric.sheridan at owasp.org
Thu Dec 23 12:43:55 EST 2010


OWASP Leaders,

There have been several discussions on web application security
mailing lists and blogs about the best strategy to protect Ajax
interfaces from Cross-Site Request Forgery (CSRF) attacks. Most of
these discussions center around verification of the X-Requested-With
header or adoption and subsequent verification of the Origin header. I
thought now would be a good time to talk about how OWASP CSRFGuard v3
protects Ajax interfaces from CSRF attacks. CSRFGuard makes use of
JavaScript function hijacking to inject custom headers into valid
requests sent by the XMLHttpRequest object. These headers include
X-Requested-With and a custom header name value pair containing the
per-session CSRF prevention token. More technical details of that
strategy including a discussion of the Origin header can be found at
http://ericsheridan.blogspot.com/2010/12/how-csrfguard-protects-ajax.html.

My big driver here is to encourage people to review, test, and provide
feedback on the current status of OWASP CSRFGuard v3. Please let me
know what you think!

-Eric


More information about the OWASP-Leaders mailing list