[OWASP_PHPSEC] CSRF Protection

Abbas Naderi abiusx at owasp.org
Sun Jul 21 16:12:25 UTC 2013


That is great, but which of the following:
1. You think that jWidget is too detailed (how it handles CSRF) and jCSRF is more transparent to use,
2. Or you think we need to provide jWidget's approach via abstraction to others who want to use HTML Forms?
-Abbas
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Tir 30, 1392, at 3:12 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> Daily Report - July 20, 2013
> 
> Hello All,
> 
> Sorry I was late in submitting this request. Yesterday and most of today I was busy in studying the CSRF prevention techniques. As pointed out in Abbas's email, I read the jWidget library and the research paper about a new technique jCSRF.
> Additionally I read OWASP's and wikipedia pages on this matter and saw some youtube and defcon videos related to this.
> 
> Finally I concluded that there are mainly two prevalent techniques to prevent this: one using nounce (which is also used by Facebook) an the other one pointed out in jCSRF. For legit cross-domain requests, only jCSRF technique made sense. In terms of implementation, it is somewhat difficult and I cannot say with 100% guarantee now that I can do it....I will look further in this matter after discussing this with the mentors. jWidget on other hand would prove exremenly helpful if we do decide to implement jCSRF because of the fact that it has already defined methods to inject JS codes in pages. 
> 
> After this, I also worked a little on the logs library and found a way through the problem discussed in last few emails. I will complete and push the codes probably after monday.
> 
> NOTE: MENTORS, I WOULD LIKE TO TAKE LEAVE ON SUNDAY AND MONDAY BECAUSE RECENTLY I GOT A CALL FROM "CIGITAL" FOR AN ONLINE TEST. SO THIS IS A FULL TIME JOB OPPORTUNITY FOR ME. SO ON MONDAY I HAVE WRITTEN EXAM AND INTERVIEW.
> 
> 
> On Sat, Jul 20, 2013 at 7:42 PM, Abbas Naderi <abiusx at owasp.org> wrote:
> Actually I specifically think thats wrong, as it causes major inconvenience for the user.
> Assume you have opened a form and filled it, e.g to send an email. Then you open another one to send another email. Then you click send on the first one, and csrf validation fails. And all your data is junk.
> Session (cookie) based CSRF, is very safe, but very inconvenience for usual users.
> -Abbas
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
> 
> On Tir 30, 1392, at 3:59 AM, Azeddine Islam Mennouchi <azeddine.mennouchi at owasp.org> wrote:
> 
>> I Think that in the jframework there is a per-page token
>> I suggest as a plus a per-session Token to over come some user behavior (like opening two tabs for the same form .. etc)
>> 
>> Regards Islam,
>> 
>> 
>> On Sat, Jul 20, 2013 at 1:17 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>> Hello Folks,
>> I was thinking of CSRF protection methods, and realize its infeasible unless we provide some widget library. There's one such thing named jWidget in the core of jframework project, and is still in beta, but is based on security.
>> Please take a peek at it, and provide these three points:
>> 1. Do you know any other means of protecting against CSRF, instead of this approach ? (The jCSRF implementation provided in a paper by R. Sekar from Stony Brook, is one such thing. Abhishek plz study it and see if its a good idea for us to implement this instead of the widget library)
>> 2. How can we abstract jWidget, to make more of a flexible library than a toolset?
>> 3. If you can extract the ideas inside jWidget, and make a library based on them, how so?
>> 
>> @Andrew, I'm really looking forward to your professional feedback on this as well.
>> Thanks
>> -Abbas
>> ______________________________________________________________
>> Notice: This message is digitally signed, its source and integrity are verifiable.
>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>> 
>> 
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>> 
>> 
>> 
>> 
>> -- 
>> Islam Azeddine Mennouchi
>> Consultant at ITS
>> http://www.novasup.com/
>> OWASP ALGERIA Chapter Leader
>> phone n°: +213796314102
> 
> 
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130721/ddf93dd3/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list