[OWASP_PHPSEC] Cross Site Request Forgery

Abbas Naderi abiusx at owasp.org
Sun Feb 23 17:48:19 UTC 2014


Hi,
The thingie in the PHP Security Cheat Sheet will do that, but not for AJAX needs, so we need to have that, plus some API for Javascript that people can use. Also keep in mind that currently it is using Regular Expressions, which are not a wise way to consume HTML.
-A
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Feb 23, 2014, at 3:42 AM, Minhaz A V <minhazav at gmail.com> wrote:

> Hi,
> As suggested in paper that we have traditional method of preventing CSRF by sending a token to the client [by modifying URL and using a cookie] and then for each request made by client match these two parameters. Also it states this is not a very popular method because developer tends to commit mistake, thus forget to implement this everywhere required, leaving loopholes.
> 
> I'm asking isn't there a way that we make sure using the library its very easy for developer to incorporate this feature like all other functions and reduce the risk of CSRF if he's not using CSRF guard on his server?
> 
> Regards,
> Minhaz
> 
> 
> Minhaz
> cistoner.org
> 
> 
> On Sun, Feb 23, 2014 at 5:13 AM, Abbas Naderi <abiusx at owasp.org> wrote:
> The proxy that OWASP is going to implement is based on Prof. Sekar’s paper. I suggest it a long time ago.
> 
> As for CSRF protection as a library, unfortunately libraries are not very effective, mostly due to ajax calls. I have some code snippets in the PHP Security Cheat Sheet.
> 
> The jWidget component of jframework, which essentially implements pull MVC, has a good implementation of CSRF in it. That’s the only effective way I could think of.
> Thanks
> -A
> 
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
> 
> On Feb 22, 2014, at 2:53 PM, Minhaz A V <minhazav at gmail.com> wrote:
> 
>> Hi all,
>> I'm of impression that PHPSEC covers / mitigates most of the vulnerabilities that exist in OWASP Top 10 list except CSRF. Also this is something that OWASP aims to cover in this year's GSOC. 
>> With OWASP CSRF guard OWASP is aiming to implement a server-side proxy which can directly help mitigating CSRF without developer's intervention. 
>> 
>> But as a set of security library, I think CSRF prevention method should be implemented in phpsec as well! We could use traditional token based method here!
>> Correct me if it has already been implemented :O
>> 
>> 
>> Minhaz
>> cistoner.org
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20140223/3e3c555c/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list