[Owasp-leaders] OWASP CSRFGuard

Ryan Barnett ryan.barnett at owasp.org
Fri Oct 29 09:44:59 EDT 2010


I actually added a similar method to the OWASP ModSecurity Core Rule Set
where I used ModSecurity¹s Content Injection capabilities to append a
modified version of CSRFGuard¹s csrf.js data (
http://code.google.com/p/owaspcsrfguard/source/browse/trunk/main/OWASP-CSRFG
uard/src/org/owasp/csrfguard/handlers/csrf.js?r=2) to the bottom of HTTP
responses.  ModSecurity was used to create the CSRF nonce hash data, append
the JS to the http response and then validate the csrf token data on
subsequent requests.  Example modsecurity_crs_43_csrf_protection.conf file
can be seen here in SVN -
http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/option
al_rules/modsecurity_crs_43_csrf_protection.conf?revision=1527

While this implementation works, one issue that I found with the csrf.js
code is that it will only update Forms and html links.  It will not
currently add the csrf token to AJAX code.  This would be a good
improvement.  I actually mentioned this when I announced the CRS update (
http://owasp.blogspot.com/2010/06/owasp-modsecurity-core-rule-set.html) but
have not yet hand anyone offer to help.

--
Ryan Barnett
OWASP ModSecurity Core Rule Set Project Leader


On 10/29/10 9:09 AM, "Jim Manico" <jim.manico at owasp.org> wrote:

> Hello,
>  
> The OWASP CSRF guard project (
> http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project ) has recently
> been deemed ³inactive² and I¹m trying to help bring it back to life.
>  
> I¹m taking a survey of folks who have used CSRFGuard. In particular, I would
> like to understand any potential modifications CSRFGuard users have had  to
> make in order to implement it successfully for their website. I¹d also like to
> hear of any success stories of using CSRFGuard out of the box.
>  
> Any feedback regarding this matter is greatly appreciated.
>  
> Thanks kindly + Aloha,
>  
> Jim Manico
> OWASP Podcast Producer
> OWASP ESAPI Project Manager
> http://manico.net
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101029/dd0a2ef9/attachment.html 


More information about the OWASP-Leaders mailing list