[OWASP_PHPSEC] Cross Site Request Forgery
abiusx at owasp.org
Sat Feb 22 23:43:50 UTC 2014
The proxy that OWASP is going to implement is based on Prof. Sekar’s paper. I suggest it a long time ago.
As for CSRF protection as a library, unfortunately libraries are not very effective, mostly due to ajax calls. I have some code snippets in the PHP Security Cheat Sheet.
The jWidget component of jframework, which essentially implements pull MVC, has a good implementation of CSRF in it. That’s the only effective way I could think of.
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
On Feb 22, 2014, at 2:53 PM, Minhaz A V <minhazav at gmail.com> wrote:
> Hi all,
> I'm of impression that PHPSEC covers / mitigates most of the vulnerabilities that exist in OWASP Top 10 list except CSRF. Also this is something that OWASP aims to cover in this year's GSOC.
> With OWASP CSRF guard OWASP is aiming to implement a server-side proxy which can directly help mitigating CSRF without developer's intervention.
> But as a set of security library, I think CSRF prevention method should be implemented in phpsec as well! We could use traditional token based method here!
> Correct me if it has already been implemented :O
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP_PHP_Security_Project