[OWASP_PHPSEC] CSRF Protection

rahul chaudhary rahul300chaudhary400 at gmail.com
Sun Jul 21 10:42:31 UTC 2013


Daily Report - July 20, 2013

Hello All,

Sorry I was late in submitting this request. Yesterday and most of today I
was busy in studying the CSRF prevention techniques. As pointed out in
Abbas's email, I read the jWidget library and the research paper about a
new technique jCSRF.
Additionally I read OWASP's and wikipedia pages on this matter and saw some
youtube and defcon videos related to this.

Finally I concluded that there are mainly two prevalent techniques to
prevent this: one using nounce (which is also used by Facebook) an the
other one pointed out in jCSRF. For legit cross-domain requests, only jCSRF
technique made sense. In terms of implementation, it is somewhat difficult
and I cannot say with 100% guarantee now that I can do it....I will look
further in this matter after discussing this with the mentors. jWidget on
other hand would prove exremenly helpful if we do decide to implement jCSRF
because of the fact that it has already defined methods to inject JS codes
in pages.

After this, I also worked a little on the logs library and found a way
through the problem discussed in last few emails. I will complete and push
the codes probably after monday.

*NOTE: MENTORS, I WOULD LIKE TO TAKE LEAVE ON SUNDAY AND MONDAY BECAUSE
RECENTLY I GOT A CALL FROM "CIGITAL" FOR AN ONLINE TEST. SO THIS IS A FULL
TIME JOB OPPORTUNITY FOR ME. SO ON MONDAY I HAVE WRITTEN EXAM AND INTERVIEW.
*


On Sat, Jul 20, 2013 at 7:42 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> Actually I specifically think thats wrong, as it causes major
> inconvenience for the user.
> Assume you have opened a form and filled it, e.g to send an email. Then
> you open another one to send another email. Then you click send on the
> first one, and csrf validation fails. And all your data is junk.
> Session (cookie) based CSRF, is very safe, but very inconvenience for
> usual users.
> -Abbas
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On Tir 30, 1392, at 3:59 AM, Azeddine Islam Mennouchi <
> azeddine.mennouchi at owasp.org> wrote:
>
> I Think that in the jframework there is a per-page token
> I suggest as a plus a per-session Token to over come some user behavior
> (like opening two tabs for the same form .. etc)
>
> Regards Islam,
>
>
> On Sat, Jul 20, 2013 at 1:17 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>>      Hello Folks,
>> I was thinking of CSRF protection methods, and realize its infeasible
>> unless we provide some widget library. There's one such thing named jWidget
>> in the core of jframework project, and is still in beta, but is based on
>> security.
>> Please take a peek at it, and provide these three points:
>> 1. Do you know any other means of protecting against CSRF, instead of
>> this approach ? (The jCSRF implementation provided in a paper by R. Sekar
>> from Stony Brook, is one such thing. Abhishek plz study it and see if its a
>> good idea for us to implement this instead of the widget library)
>> 2. How can we abstract jWidget, to make more of a flexible library than a
>> toolset?
>> 3. If you can extract the ideas inside jWidget, and make a library based
>> on them, how so?
>>
>> @Andrew, I'm really looking forward to your professional feedback on this
>> as well.
>> Thanks
>> -Abbas
>> ______________________________________________________________
>> *Notice:** *This message is *digitally signed*, its *source* and *
>> integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display
>> a file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com <http://abiusx.com/>
>>
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>
>
> --
> Islam Azeddine Mennouchi
> Consultant at ITS
> http://www.novasup.com/
> OWASP ALGERIA Chapter Leader
> phone n°: +213796314102
>
>
>
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130721/fef38303/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list