poc-csrf icon indicating copy to clipboard operation
poc-csrf copied to clipboard

Published 20 hours ago verified publisher icon righettod

Metadata

POC in order to materialize CSRF prevention concepts described in the following OWASP CSRF cheatsheet

Objective

This project is a prototype in order to materialize CSRF prevention concepts described in the following OWASP cheatsheet:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Precisely the following concepts:

  • Verifying same origin with standard headers
  • CSRF specific defense:
    • Double submit cookie (stateless)
    • Leverage SameSite cookie attribute

The POC will focus on stateless approach, i.e. no use of Session for CSRF token storage, because the following project, OWASP CSRFGuard, cover the stateful approach:

https://github.com/aramrami/OWASP-CSRFGuard

All classes are fully documented.

The project is developed with Maven under IntelliJ IDEA.

A web page propose to send manual request in parallel of automated requests sending in order to show all parallel exchanges and CSRF tokens parallel handling.

Demo

Demo

Demo

Note about the SameSite cookie attribute

Source from https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00:

"These attribute are intended to provide a solid layer of defense-in-depth against attacks which require embedding an authenticated request into an attacker-controlled context."

Unfortunately, for the moment, only Chrome based browser supports this attribute:

http://caniuse.com/#feat=same-site-cookie-attribute

There a very good description of this attribute here:

https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/

Build or Run

Add the following line to your hosts file:

# Local domain
127.0.0.1 local.net

Run the following command to create a WAR archive:

mvn clean package

Run the following command to run the prototype (it will exposed on http://local.net:9090):

mvn tomcat7:run-war

TODO

  • Auto deploy POC on cloud provider

Main references

  • Origin HTTP header - https://wiki.mozilla.org/Security/Origin
  • Description of the SameSite attribute - https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/
  • SameSite attribute specification - https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
  • SameSite attribute supports - http://caniuse.com/#feat=same-site-cookie-attribute

Metadata

30
Stars
17
Forks
Watchers

Owner

verified publisher icon righettod

Metadata

POC in order to materialize CSRF prevention concepts described in the following OWASP CSRF cheatsheet

Back