[Owasp-Malaysia] OWASP CSRFGuard (ALPHA) Released!

OWASP Malaysia admin at owasp.my
Thu Dec 16 02:53:43 EST 2010


By Eric Sheridan

It is with great pride that I announce the release of OWASP CSRFGuard (ALPHA)! This is a development release of the v3 series that is in
need of peer review, testing, and general feedback in preparation for BETA.
There are several significant new features that are in need of testing in
the enterprise development environments. Please contact me for support if
you are interested in testing the latest release. Of course, I am always
open to questions, comments, or feature requests! Please check out the
project home page (

) and User Manual (http://www.owasp.org/index.php/CSRFGuard_3_User_Manual

) for more information about how to install, configure, and deploy the OWASP
CSRFGuard library.

OWASP CSRFGuard has been completely rewritten to address the various feature
requests and bug fixes submitted to me over the past couple years. No longer
will CSRFGuard be referred to as just a "reference implementation". By
addressing the performance and scalability issues plaguing older releases,
OWASP CSRFGuard v3 is intended to serve as the de-facto standard prevention
mechanism against CSRF attacks for JavaEE web applications. The following is
a bulleted summary of the significant changes associated with the v3

* OWASP CSRFGuard is now available under the much more liberal BSD license
* Owasp.CsrfGuard.properties file can be loaded from classpath, web context
directory, or current directory
* Developers can implement a custom logger to be consumed by the library
* Experimental support for the rotation of CSRF tokens once the previous
token is expired
* Experimental support for creating and verifying unique CSRF tokens per
* Experimental support for Ajax through the verification of headers
dynamically injected by CSRFGuard JavaScript
* Configurable actions including Log, Invalidate, Redirect, Forward,
RequestAttribute, and SessionAttribute
* Unprotected pages can be captured using same syntax used by the JavaEE
container in web.xml
* Library no longer intercepts HTTP responses produced by the web
* Developers can manually inject CSRF prevention tokens using the JSP tag
* Developers can automate injection of CSRF prevention tokens using dynamic
JavaScript DOM Manipulation
* Tokens are only injected into HTML elements that submit requests to the
current origin (planned for XHR)
* JavaScript token injection can be configured to inject into links, forms,
and XMLHttpRequests

Please check out the following resources for more information regarding
recent project updates:

Project Page -

User Manual - http://www.owasp.org/index.php/CSRFGuard_3_User_Manual

Code Repository - http://code.google.com/p/owaspcsrfguard/
Blog - http://ericsheridan.blogspot.com/

Admin OWASP Malaysia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20101216/cadcf374/attachment.html 

More information about the Owasp-Malaysia mailing list