Difference between revisions of "Category:OWASP CSRFGuard Project"

From OWASP
Jump to: navigation, search
(Project Lead)
 
(27 intermediate revisions by 5 users not shown)
Line 1: Line 1:
<!---==== Main  ====--->
 
== Overview ==
 
  
Welcome to the home of the OWASP CSRFGuard Project! OWASP CSRFGuard is a library that implements a variant of the [http://www.corej2eepatterns.com/Design/PresoDesign.htm synchronizer token pattern] to mitigate the risk of [[Cross-Site Request Forgery]] (CSRF) attacks. The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. When a user interacts with this HTML, CSRF prevention tokens (i.e. cryptographically random synchronizer tokens) are submitted with the corresponding HTTP request. It is the responsibility of OWASP CSRFGuard to ensure the token is present and is valid for the current HTTP request. Any attempt to submit a request to a protected resource without the correct corresponding token is viewed as a CSRF attack in progress and is discarded. Prior to discarding the request, CSRFGuard can be configured to take one or more actions such as logging aspects of the request and redirecting the user to a landing page. The latest release enhances this strategy to support the optional verification of HTTP requests submitted using Ajax as well as the optional verification of referrer headers.
+
=Main=
  
== Project Lead ==
+
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div>
  
[mailto:eric@infraredsecurity.com Eric Sheridan] is the lead and primary developer of the OWASP CSRFGuard project and a Managing Partner at [http://www.infraredsecurity.com Infrared Security]. Aside from leading up CSRFGuard, Eric has contributed to or provided guidance on numerous other OWASP projects including CSRF Prevention Cheat Sheet, WebGoat, Stinger, CSRFTester, and Enterprise Security API (ESAPI). As Managing Partner at Infrared Security, Eric Sheridan specializes in a wide variety of application security activities including static analysis, penetration tests, code reviews, and threat modeling. In his personal time... wait, what is that?
+
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 +
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
  
== License ==
+
==OWASP CSRFGuard ==
  
OWASP CSRFGuard is offered under the [http://www.opensource.org/licenses/bsd-license.php BSD] license. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.
+
Welcome to the home of the OWASP CSRFGuard Project! OWASP CSRFGuard is a library that implements a variant of the [http://www.corej2eepatterns.com/Design/PresoDesign.htm synchronizer token pattern] to mitigate the risk of [[Cross-Site Request Forgery]] (CSRF) attacks.  
  
== Email List ==
+
==Introduction==
  
You can sign up for the OWASP CSRFGuard email list at [https://lists.owasp.org/mailman/listinfo/owasp-csrfguard https://lists.owasp.org/mailman/listinfo/owasp-csrfguard]
+
The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.  
  
== Source Code ==
+
==Description==
  
You can access the Git repository online at https://github.com/esheri3/OWASP-CSRFGuard
+
==== Overview ====
  
== Downloads ==
+
OWASP CSRFGuard implements a variant of the synchronizer token pattern to mitigate the risk of CSRF attacks. In order to implement this pattern, CSRFGuard must offer the capability to place the CSRF prevention token within the HTML produced by the protected web application. CSRFGuard 3 provides developers more fine grain control over the injection of the token. Developers can inject the token in their HTML using either dynamic JavaScript DOM manipulation or a JSP tag library. CSRFGuard no longer intercepts and modifies the HttpServletResponse object as was done in previous releases. The currently available token injection strategies are designed to make the integration of CSRFGuard more feasible and scalable within current enterprise web applications. Developers are encouraged to make use of both the JavaScript DOM Manipulation and the JSP tag library strategies for a complete token injection strategy. The JavaScript DOM Manipulation strategy is ideal as it is automated and requires minimal effort on behalf of the developer. In the event the JavaScript solution is insufficient within a particular application context, developers should leverage the JSP tag library. The purpose of this article is to describe the token injection strategies offered by OWASP CSRFGuard 3.
  
[https://github.com/downloads/esheri3/OWASP-CSRFGuard/Owasp-CsrfGuard-3.0.0.503.tar.gz OWASP CSRFGuard 3.0.0.503 (ALPHA)] - download the latest development release with binary and associated configuration files '''(recommended)'''.
+
==== JavaScript DOM Manipulation ===
  
[[CSRFGuard_Deprecated_Releases | Deprecated Releases]] - article containing several download references to deprecated and officially unsupported releases
+
OWASP CSRFGuard 3 supports the ability to dynamically inject CSRF prevention tokens throughout the DOM currently loaded in the user's browser. This strategy is extremely valuable with regards to server-side performance as it simply requires the serving of a dynamic JavaScript file. There is little to no performance hit when the fetched dynamic JavaScript updates the browser's DOM. Making use of the JavaScript token injection solution requires the developer map a Servlet and place a JavaScript HTML tag within all pages sending requests to protected application resources. Developers are strongly encouraged to leverage the JavaScript token injection strategy by default. This strategy requires minimal effort on behalf of the developer as most of the token injection logic is automated. In the event that the JavaScript automated solution may be insufficient for a specific application context, developers should leverage the OWASP CSRFGuard JSP tag library.
  
== User Manual(s) ==
+
'''Note:''' Use of JavaScript DOM Manipulation is required for Ajax support.
  
[[CSRFGuard_3_User_Manual | OWASP CSRFGuard v3 ]] - series of articles describing the installation, configuration, and deployment of OWASP CSRFGuard v3.
 
  
== References ==
+
[[File:CSRGuard.PNG|300px|thumb|left|CSRFGuard Architecture]]
 +
 
 +
== What is CSRFGuard? ==
 +
 
 +
OWASP CSRFGuard  provides:
 +
 
 +
* A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
 +
* A JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.
 +
 
 +
==Licensing==
 +
The CSRFGuard project is run by Azzeddine RAMRAMI. He can be contacted at azzeddine.ramrami AT owasp.org. CSRFGuard distributions are currently maintained on GitHub.
 +
 
 +
OWASP CSRFGuard 3.1 is offered under the BSD license
 +
 
 +
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 +
 
 +
== Presentation & Manual ==
 +
 
 +
Link to presentation
 +
 
 +
https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
 +
 
 +
== Project Leader ==
 +
 
 +
The CSRFGuard project is run by Azzeddine RAMRAMI. He can be contacted at azzeddine.ramrami AT owasp.org.
 +
 
 +
== Related Projects ==
  
 
:*[http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project OWASP CSRFTester ] - utility to assist in the testing and generating PoC for CSRF attacks.
 
:*[http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project OWASP CSRFTester ] - utility to assist in the testing and generating PoC for CSRF attacks.
Line 37: Line 61:
 
:*http://www.thespanner.co.uk/2007/10/19/jsck/ - project implementing CSRFGuard style solution for PHP and JavaScript.
 
:*http://www.thespanner.co.uk/2007/10/19/jsck/ - project implementing CSRFGuard style solution for PHP and JavaScript.
 
:*http://www.owasp.org/index.php/.Net_CSRF_Guard - project implementing CSRFGuard style solution for ASP.NET.
 
:*http://www.owasp.org/index.php/.Net_CSRF_Guard - project implementing CSRFGuard style solution for ASP.NET.
 +
:*https://www.owasp.org/index.php/CSRFProtector_Project - CSRF Protector Project - Implements new Anti CSRF method in web applications
  
== Project Sponsors ==  
+
== Ohloh ==
  
[[File:Infrared-logo-small.png | link=http://www.infraredsecurity.com]]
+
*https://www.ohloh.net/p/OWASP-CSRFGuard
  
<!---==== Project About ====
+
| valign="top"  style="padding-left:25px;width:200px;" |
{{:Projects/OWASP CSRFGuard Project| Project About}}
+
 
 +
== Quick Download ==
 +
 
 +
Download and build the latest source code from GitHub :
 +
 
 +
* https://github.com/aramrami/OWASP-CSRFGuard
 +
 
 +
Download and build the latest source code from GitHub - https://github.com/aramrami/OWASP-CSRFGuard-3
 +
 
 +
[[CSRFGuard_Deprecated_Releases | Deprecated Releases]] - article containing several download references to deprecated and officially unsupported releases
 +
 
 +
Download the binary jar file from Github relase:
 +
 
 +
* https://github.com/aramrami/OWASP-CSRFGuard/releases/download/3.1.0/csrfguard-3.1.0.jar
 +
 
 +
== User Manual(s) ==
 +
 
 +
[[CSRFGuard_3_User_Manual | OWASP CSRFGuard v3 ]] - series of articles describing the installation, configuration, and deployment of OWASP CSRFGuard v3.
 +
== News and Events ==
 +
 
 +
* [08 Fev 2014] A security fix has been published. See details on GitHub
 +
* [10 Feb 2014] Release 3.1 of CSRFGuard project is now available for download
 +
* [28 Jul 2014] A new Github repository called "OWASP CSRFGuard-3" with issues management has been created
 +
 
 +
== In Print ==
 +
 
 +
This project can be purchased as a print on demand book from Lulu.com
 +
 
 +
==Classifications==
 +
 
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 +
  |}
 +
 
 +
|}
 +
 
 +
=FAQs=
 +
 
 +
Here a complete CSRF attacks FAQ:
 +
 
 +
* http://www.cgisecurity.com/csrf-faq.html
 +
 
 +
= Acknowledgements =
 +
==Volunteers==
 +
 
 +
CSRFGuard is developed by a worldwide team of volunteers. The primary contributors to date have been:
 +
 
 +
* Ahamed Nafeez, Security Engineer.
 +
* Christa Erwin, Security, Programmer/Analyst.
 +
 
 +
==Others==
 +
 
 +
* Eric Sheridan was the original designer of CSRFGuard until 3.0 version.
 +
 
 +
= Road Map and Getting Involved =
 +
 
 +
As of CSRFGuard the priorities are:
 +
* Address any security vulnerabilities around javascript prototype hijacking
 +
* Support for Internet Explorer
 +
* Addressing outstanding issues listed in GitHub
 +
* Support for Multi-part requests
 +
* Add support for the 'Origin' header
 +
 
 +
Involvement in the development and promotion of CSRFGurd is actively encouraged!
 +
You do not have to be a security expert in order to contribute.
 +
Some of the ways you can help:
 +
* Make fix to the actual version
 +
* Propose a security enhcement
 +
* Write a complete Architecture Folder for CSRFGurd
 +
* Add an IA engine to detect unknown attacks.
 +
 
 +
 
 +
 
 +
=Contact US=
 +
You can sign up for the OWASP CSRFGuard email list at [https://lists.owasp.org/mailman/listinfo/owasp-csrfguard https://lists.owasp.org/mailman/listinfo/owasp-csrfguard]
  
__NOTOC__ <headertabs />---->
+
__NOTOC__ <headertabs />  
  
[[Category:OWASP_Validation_Project]]
+
[[Category:OWASP Project]]
[[Category:Java]]
+
[[Category:OWASP_Project|CSRFGuard Project]]
+
[[Category:OWASP_Java_Project]]
+

Latest revision as of 18:58, 2 March 2015

[edit]

Flagship big.jpg

OWASP CSRFGuard

Welcome to the home of the OWASP CSRFGuard Project! OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.

Introduction

The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.

Description

Overview

OWASP CSRFGuard implements a variant of the synchronizer token pattern to mitigate the risk of CSRF attacks. In order to implement this pattern, CSRFGuard must offer the capability to place the CSRF prevention token within the HTML produced by the protected web application. CSRFGuard 3 provides developers more fine grain control over the injection of the token. Developers can inject the token in their HTML using either dynamic JavaScript DOM manipulation or a JSP tag library. CSRFGuard no longer intercepts and modifies the HttpServletResponse object as was done in previous releases. The currently available token injection strategies are designed to make the integration of CSRFGuard more feasible and scalable within current enterprise web applications. Developers are encouraged to make use of both the JavaScript DOM Manipulation and the JSP tag library strategies for a complete token injection strategy. The JavaScript DOM Manipulation strategy is ideal as it is automated and requires minimal effort on behalf of the developer. In the event the JavaScript solution is insufficient within a particular application context, developers should leverage the JSP tag library. The purpose of this article is to describe the token injection strategies offered by OWASP CSRFGuard 3.

= JavaScript DOM Manipulation

OWASP CSRFGuard 3 supports the ability to dynamically inject CSRF prevention tokens throughout the DOM currently loaded in the user's browser. This strategy is extremely valuable with regards to server-side performance as it simply requires the serving of a dynamic JavaScript file. There is little to no performance hit when the fetched dynamic JavaScript updates the browser's DOM. Making use of the JavaScript token injection solution requires the developer map a Servlet and place a JavaScript HTML tag within all pages sending requests to protected application resources. Developers are strongly encouraged to leverage the JavaScript token injection strategy by default. This strategy requires minimal effort on behalf of the developer as most of the token injection logic is automated. In the event that the JavaScript automated solution may be insufficient for a specific application context, developers should leverage the OWASP CSRFGuard JSP tag library.

Note: Use of JavaScript DOM Manipulation is required for Ajax support.


CSRFGuard Architecture

What is CSRFGuard?

OWASP CSRFGuard provides:

  • A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
  • A JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.

Licensing

The CSRFGuard project is run by Azzeddine RAMRAMI. He can be contacted at azzeddine.ramrami AT owasp.org. CSRFGuard distributions are currently maintained on GitHub.

OWASP CSRFGuard 3.1 is offered under the BSD license

Presentation & Manual

Link to presentation

https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection

Project Leader

The CSRFGuard project is run by Azzeddine RAMRAMI. He can be contacted at azzeddine.ramrami AT owasp.org.

Related Projects

Ohloh

Quick Download

Download and build the latest source code from GitHub :

Download and build the latest source code from GitHub - https://github.com/aramrami/OWASP-CSRFGuard-3

Deprecated Releases - article containing several download references to deprecated and officially unsupported releases

Download the binary jar file from Github relase:

User Manual(s)

OWASP CSRFGuard v3 - series of articles describing the installation, configuration, and deployment of OWASP CSRFGuard v3.

News and Events

  • [08 Fev 2014] A security fix has been published. See details on GitHub
  • [10 Feb 2014] Release 3.1 of CSRFGuard project is now available for download
  • [28 Jul 2014] A new Github repository called "OWASP CSRFGuard-3" with issues management has been created

In Print

This project can be purchased as a print on demand book from Lulu.com

Classifications

Project Type Files CODE.jpg

Here a complete CSRF attacks FAQ:

Volunteers

CSRFGuard is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • Ahamed Nafeez, Security Engineer.
  • Christa Erwin, Security, Programmer/Analyst.

Others

  • Eric Sheridan was the original designer of CSRFGuard until 3.0 version.

As of CSRFGuard the priorities are:

  • Address any security vulnerabilities around javascript prototype hijacking
  • Support for Internet Explorer
  • Addressing outstanding issues listed in GitHub
  • Support for Multi-part requests
  • Add support for the 'Origin' header

Involvement in the development and promotion of CSRFGurd is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • Make fix to the actual version
  • Propose a security enhcement
  • Write a complete Architecture Folder for CSRFGurd
  • Add an IA engine to detect unknown attacks.


You can sign up for the OWASP CSRFGuard email list at https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

Pages in category "OWASP CSRFGuard Project"

The following 4 pages are in this category, out of 4 total.