[Owasp-leaders] CSRF unique per session or per action?

Kevin W. Wall kevin.w.wall at gmail.com
Wed Aug 27 03:55:08 UTC 2014

Abbas Naderi and I had the privilege of mentoring Minhaz for
this year's Google Summer of Code, which just recently ended.
Minhaz' project was one done for OWASP and the name
of his project was "CSRF Protector". For those of you familiar
with OWASP's CSRF Guard, CSRF Protector takes a slightly
different approach. It uses custom JavaScript to inject CSRF
tokens as cookies.

While Minhaz is subscribed to this list, he is unable to post to
it so he asked me to post this for him.

Here's what he wanted to say.
Using per request token is a better option, such that tokens are regenerated
whenever consumed. Because in case of per session token, if an attacker
somehow gets the token set for the user (say using man in the middle attack),
he can use it for CSRF. Per request token has been implemented in CSRF
Protector, and works fine with AJAX applications as well, as latest tokens
(from cookie) are attached with each request sent from client.

But per request tokens doesn't work well with noJS unless we restrict multiple
tabs in application or we store tokens generated for each request in the
server and remove them on correct validation or timeout.

The one thing that I would add would be to provide the OWASP wiki page
for his project:

>From there you can find links to his source code.

Thanks for listening.
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.

More information about the OWASP-Leaders mailing list