[OWASP_PHPSEC] Cross Site Request Forgery

Abbas Naderi abiusx at owasp.org
Sat Feb 22 23:43:50 UTC 2014


The proxy that OWASP is going to implement is based on Prof. Sekar’s paper. I suggest it a long time ago.

As for CSRF protection as a library, unfortunately libraries are not very effective, mostly due to ajax calls. I have some code snippets in the PHP Security Cheat Sheet.

The jWidget component of jframework, which essentially implements pull MVC, has a good implementation of CSRF in it. That’s the only effective way I could think of.
Thanks
-A

______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Feb 22, 2014, at 2:53 PM, Minhaz A V <minhazav at gmail.com> wrote:

> Hi all,
> I'm of impression that PHPSEC covers / mitigates most of the vulnerabilities that exist in OWASP Top 10 list except CSRF. Also this is something that OWASP aims to cover in this year's GSOC. 
> With OWASP CSRF guard OWASP is aiming to implement a server-side proxy which can directly help mitigating CSRF without developer's intervention. 
> 
> But as a set of security library, I think CSRF prevention method should be implemented in phpsec as well! We could use traditional token based method here!
> Correct me if it has already been implemented :O
> 
> 
> Minhaz
> cistoner.org
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20140222/20eb05b7/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list