[OWASP_PHPSEC] Daily Report - 20 July, 2013

rahul chaudhary rahul300chaudhary400 at gmail.com
Sun Jul 21 10:40:36 UTC 2013


Hello All,

Sorry I was late in submitting this request. Yesterday and most of today I
was busy in studying the CSRF prevention techniques. As pointed out in
Abbas's email, I read the jWidget library and the research paper about a
new technique jCSRF.
Additionally I read OWASP's and wikipedia pages on this matter and saw some
youtube and defcon videos related to this.

Finally I concluded that there are mainly two prevalent techniques to
prevent this: one using nounce (which is also used by Facebook) an the
other one pointed out in jCSRF. For legit cross-domain requests, only jCSRF
technique made sense. In terms of implementation, it is somewhat difficult
and I cannot say with 100% guarantee now that I can do it....I will look
further in this matter after discussing this with the mentors. jWidget on
other hand would prove exremenly helpful if we do decide to implement jCSRF
because of the fact that it has already defined methods to inject JS codes
in pages.

After this, I also worked a little on the logs library and found a way
through the problem discussed in last few emails. I will complete and push
the codes probably after monday.

*NOTE: MENTORS, I WOULD LIKE TO TAKE LEAVE ON SUNDAY AND MONDAY BECAUSE
RECENTLY I GOT A CALL FROM "CIGITAL" FOR AN ONLINE TEST. SO THIS IS A FULL
TIME JOB OPPORTUNITY FOR ME. SO ON MONDAY I HAVE WRITTEN EXAM AND INTERVIEW.
*

-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130721/3a2956ce/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list