OWASP CSRF Protector

OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x

  1. Minhaz Av
    OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x
    Transcript Header:
    OWASP CSRF Protector
    Transcript Body:
    • 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP CSRF Protector Minhaz 3rd year, Computer Engineering Delhi Technological University minhaz@owasp.org 20.09.14
    • 2. OWASP What all I’ll cover? Very brief introduction of CSRF Introduction: CSRF Protector Project Software Design Brief introduction on implementation & final products Salient Features Roadmaps & Plans Feedbacks & Questions 2
    • 3. OWASP 3 So what’s CSRF? SKIP
    • 4. OWASP 4 Nice Server http://www.bestbank.com Admin ******** BestBank Login Page Login Forgot Password? Protected by 128 bit encryption ….. Request URL: http://www.bestbank.com/ ….. ….. Form Data: username=Admin&password=Password ….. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-chec k=0 Connection: Keep-Alive … Set-Cookie: SESSID=hhiksdh234; expires=Wed, 10-Sep-2014 20:32:50 GMT Cross Site Request Forgery
    • 5. OWASP Nice Server http://www.bestbank.com Welcome AdminMoney Transfer BestBank.com
    • 6. OWASP Nice Server http://www.bestbank.com/moneytransfer.php Welcome AdminBestBank Money Transfer 10002 Transfer Receiver's Account No Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=10002&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23 1,00,000Amount
    • 7. OWASP Evil Server http://www.evil.com Evil Contents are always nice!! Request URL: http://www.bestbank.com/secure/transfer.php … … Form Data: accountno=1337&amount=100000 ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23
    • 8. OWASP Nice Server http://www.bestbank.com/summary/ Welcome AdminBestBank Transactions Sl No Account No Amount Date Balance 1 10002 INR 100000 10.09.14 INR 1500000 2 1337 INR 100000 11.09.14 INR 1400000
    • 9. OWASP Other possibilities: If there is CSRF vulnerability in admin panel of a website, whole website can be compromised! Hijacking primary DNS server setting of your router! -> phishing, mitm etc.! …Add more! Want to see it work? Visit superlogout.com Read More at OWASP CSRF Cheat Sheets, Just Google it! 9
    • 10. OWASP CSRF Protector Project Project Leader Abbas Naderi Primary Contributor that’s me! Project Mentors Kevin W. Wall & Jim Manico Other Contributors Abhinav Dahiya 10
    • 11. OWASP CSRF Protector Project 11 A new anti-CSRF method to protect web applications! It has two parts for now: A standalone php library An Apache 2.x.x module
    • 12. OWASP
    • 13. OWASP … … web application logic … Server Side Interceptor / Input Filter Output Filter Request from client Response to client
    • 14. OWASP Has token in cookie (C) Has token in request (T) C == T Allow the request, Generate another Pseudo Random token & send it back to client! Take Action as per configuration: • Send back a 403 • Send back a 404 • Show a custom error message • Redirect user to a custom URL • Strip all request arguments and allow the request Yes Yes Yes No No No BACKServer Side Interceptor / Input Filter
    • 15. OWASP Output Filter • Works on Regular Expression based matching! • It injects a JavaScript code just after the closing tag when there is an HTML output. • Our Normal versions also injects a tag and a message inside it, asking user to enable JavaScript if not already done! We also have a version that works without JavaScript in case of php library
    • 16. OWASP The JavaScript's job It does the primary job! The JavaScript code running on client’s machine ensure that, for each request that needs CSRF validation a token is attached to it at the point of dispatch! So, tokens are attached with every POST request and certain GET requests (allowed by rules in configuration) originating from the browser! Something which attacker cannot craft! 16
    • 17. OWASP
    • 18. OWASP Correctness of the design Scripts running on attacker’s website cannot retrieve token from other websites, because of Same Origin Policy of browsers! Attacker cannot use his token to authenticate requests in other websites. Attacker cannot guess tokens based on ones he has as each time a new pseudo random token is generated for each request (& each user). And PRNG in reseeded after every 10000 requests! 18
    • 19. OWASP
    • 20. OWASP 20 Standalone library for CSRF Mitigation in php based applications. Can be easily integrated with existing web applications or can be used while developing new ones. Features: 1. Highly customisable! 2. Supports POST / GET requests! 3. Easy to alter according to your needs! 4. Works well with all php versions > 5.0
    • 21. OWASP • It can be easily installed on apache 2.2 servers! Its distributed as a shared object file! • Easy to configure, by modifying fields in httpd.conf file (Apache’s configuration file) • Developer doesn’t need to make any changes to its web applications, so even server administrator can implement this in their servers. • Has currently been tested with Linux (Ubuntu) and OS X only!
    • 22. OWASP 22
    • 23. OWASP 23 Easy to work with or Integrate 1
    • 24. OWASP 24 Supports AJAX & dynamic forms 2 • We also have custom wrappers in JS that ensures that our injected token doesn’t creates any conflict when developer designed logic for form validation functions! • We support the old attachEvent() & ActiveObject() methods that exist in IE (
    View More