OWASP CSRFProtector Project

Todo Status Build Status

Introduction

OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross-Site Request Forgery, providing PHP library and an Apache Module (to be used differently) for easy mitigation.

What is CSRF Protector?

CSRF Protector Project has two parts:

  1. Apache 2.x.x Module: An Apache Module which can be easily installed and configured in an Apache Server to protect it from CSRF vulnerabilities.
  2. PHP library: A standalone PHP library that can be integrated with any existing web application or used while creating a new PHP project. All developers need to do is include the library and call the initiating function. View More

It’s based on the research paper A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications - ACSAC 2011

How to use

Features Offered

CSRF Protection provide protection for:

  • Normal HTML forms (POST/GET)
  • Normal Get requests (Not enabled by default)
  • Ajax Requests (XHR)
  • Dynamically generated forms

Damages Mitigated: Cross-Site Request Forgery

CSRF Protector provides mitigation against Cross-Site Request Forgery a.k.a CSRF or XSRF.

Major Contributors


What is CSRF Protector PHP library?

Its a standalone PHP library for mitigating Cross-Site Request Forgery (CSRF) vulnerabilities in web applications, which can be used with any existing web application or while developing a new one. More information available at Github wiki

Features Offered

CSRF Protection provide protection for:

  • Normal HTML forms (POST/GET)
  • Normal Get requests (Not enabled by default)
  • Ajax Requests (XHR)
  • Dynamically generated forms

Damages Mitigated: Cross-Site Request Forgery

CSRF Protector provides mitigation against Cross-Site Request Forgery a.k.a CSRF or XSRF.

How to contribute

To contribute to the code fork and send a pull to the GitHub Repository.

Current Status

Version 1.0.1 Released!

TODOs

All todos for CSRF Protector PHP are listed at todofy/mebjas/CSRF-Protector-PHP

Download Now: CSRF-Protector-PHP


What is mod_csrfprotector?

Its an Apache 2.x.x Module (Currently 2.2.x) under development. It can be installed and configured in any Apache Server to protect it against Cross-Site Request Forgery attacks. Mod_csrfprotector provides protection to both POST and GET requests (not enabled by default).

How mod_csrfprotector works?

Once installed in Apache Server, every request that is made to the server, and validated against CSRF attacks by the input filters. The input filter follows a protocol as mentioned by the developer in configuration, which helps the module to decide whether to validate the request. The input filter checks for the appropriate token sent with the request. Request if forwarded to other filters or content generators (like PHP or CGI) in validation is successful. Otherwise, appropriate actions are taken as per configuration. For ex: 403, Forbidden header is send to the client. The Output filter, checks for the content type of output generated by the content generator and if it is text/html or text/xhtml it appends javascript code to the output. This js code in client-side is responsible for attaching CSRFP_token with every required request sent from the client.

Features Offered

CSRF Protection provide protection for:

  • Normal HTML forms (POST/GET)
  • Normal Get requests (Not enabled by default)
  • Ajax Requests (XHR)
  • Dynamically generated forms

Damages Mitigated: Cross-Site Request Forgery

CSRF Protector provides mitigation against Cross-Site Request Forgery a.k.a CSRF or XSRF.

How to contribute

To contribute to the code fork and send a pull to: GitHub Repo - mod_csrfprotector

TODOs

All todos for mod_csrfprotector are listed at: todofy/mebjas/mod_csrfprotector


Some articles with the latest news and information around CSRF Protector:

How to contribute

If you have written an article explaining how to use CSRF Protector Project or how it works or some bugs or work around, please feel free to send a pull request to github.com/OWASP/www-project-csrfprotector