[OWASP_PHPSEC] Cross Site Request Forgery

Minhaz A V minhazav at gmail.com
Sun Feb 23 08:42:57 UTC 2014


Hi,
As suggested in paper that we have traditional method of preventing CSRF by
sending a token to the client [by modifying URL and using a cookie] and
then for each request made by client match these two parameters. Also it
states this is not a very popular method because *developer *tends to
commit mistake, thus *forget to implement* this everywhere required,
leaving *loopholes*.

I'm asking isn't there a way that we make sure using the library its very
easy for developer to incorporate this feature like all other functions and
r*educe the risk of CSRF if *he's* not using CSRF guard *on his server?

Regards,
Minhaz


Minhaz
cistoner.org


On Sun, Feb 23, 2014 at 5:13 AM, Abbas Naderi <abiusx at owasp.org> wrote:

> The proxy that OWASP is going to implement is based on Prof. Sekar's
> paper. I suggest it a long time ago.
>
> As for CSRF protection as a library, unfortunately libraries are not very
> effective, mostly due to ajax calls. I have some code snippets in the PHP
> Security Cheat Sheet.
>
> The jWidget component of jframework, which essentially implements pull
> MVC, has a good implementation of CSRF in it. That's the only effective way
> I could think of.
> Thanks
> -A
>
>      ______________________________________________________________
> *Notice:* This message is *digitally signed*, its *source* and *integrity* are
> verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On Feb 22, 2014, at 2:53 PM, Minhaz A V <minhazav at gmail.com> wrote:
>
> Hi all,
> I'm of impression that PHPSEC covers / mitigates most of the
> vulnerabilities that exist in OWASP Top 10 list except CSRF. Also this is
> something that OWASP aims to cover in this year's GSOC.
> With* OWASP CSRF guard* OWASP is aiming to implement a server-side proxy
> which can directly help mitigating CSRF without developer's intervention.
>
> But as a set of security library, I think CSRF prevention method should be
> implemented in phpsec as well! We could use traditional token based method
> here!
> Correct me if it has already been implemented :O
>
>
> Minhaz
> cistoner.org
>  _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20140223/146765c6/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list