[OWASP_PHPSEC] CSRF Protection

Abbas Naderi abiusx at owasp.org
Sat Jul 20 23:42:51 UTC 2013


Actually I specifically think thats wrong, as it causes major inconvenience for the user.
Assume you have opened a form and filled it, e.g to send an email. Then you open another one to send another email. Then you click send on the first one, and csrf validation fails. And all your data is junk.
Session (cookie) based CSRF, is very safe, but very inconvenience for usual users.
-Abbas
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Tir 30, 1392, at 3:59 AM, Azeddine Islam Mennouchi <azeddine.mennouchi at owasp.org> wrote:

> I Think that in the jframework there is a per-page token
> I suggest as a plus a per-session Token to over come some user behavior (like opening two tabs for the same form .. etc)
> 
> Regards Islam,
> 
> 
> On Sat, Jul 20, 2013 at 1:17 AM, Abbas Naderi <abiusx at owasp.org> wrote:
> Hello Folks,
> I was thinking of CSRF protection methods, and realize its infeasible unless we provide some widget library. There's one such thing named jWidget in the core of jframework project, and is still in beta, but is based on security.
> Please take a peek at it, and provide these three points:
> 1. Do you know any other means of protecting against CSRF, instead of this approach ? (The jCSRF implementation provided in a paper by R. Sekar from Stony Brook, is one such thing. Abhishek plz study it and see if its a good idea for us to implement this instead of the widget library)
> 2. How can we abstract jWidget, to make more of a flexible library than a toolset?
> 3. If you can extract the ideas inside jWidget, and make a library based on them, how so?
> 
> @Andrew, I'm really looking forward to your professional feedback on this as well.
> Thanks
> -Abbas
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
> 
> 
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
> 
> 
> 
> 
> -- 
> Islam Azeddine Mennouchi
> Consultant at ITS
> http://www.novasup.com/
> OWASP ALGERIA Chapter Leader
> phone n°: +213796314102

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130721/ea51525b/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list