-
Notifications
You must be signed in to change notification settings - Fork 87
Home
minhaz edited this page Jul 3, 2014
·
17 revisions
OWASP CSRF Protector Project is an effort by a group of developers in securing web applications against Cross Site Request Forgery (CSRF), providing php library and an [Apache 2.x.x Module (mod_csrfprotector)](github.com/mebjas/mod_csrfprotector) (to be used differently) for easy mitigation.
CSRFP-php library is a standalone php library that can be used to mitigate CSRF in web application. It works as a server side interceptor, such that every request is processed by CSRFP before its actually processed by the web application logic. This facilitates, the validation of incoming request for **`CSRF token`** (Our logic is based on a [Pseudo Random Code](https://github.com/mebjas/CSRF-Protector-PHP/wiki/csrfp_token---pseudo-random-code-for-validation)). Upon successful validation request is forwarded to the web application. **Otherwise,** actions are taken as per configuration ([see configurations](https://github.com/mebjas/CSRF-Protector-PHP/wiki/Configurations))
Similarly, every output generated by the web application is filtered & modified by the library. The main task is to append a javascript code to the output generated. This is done by output buffering in php. Along with this a <noscript> information is appended for those browsers that do not support javascript.
Note:We'll soon have an api for non js servers as well.
The javascript code attached to the html output makes sure the token is attached with every request (for which token is required by server).
Note: Currently CSRFP validates every POST request and those GET requests
for which url patterns are allowed as per configuration
Javascript code works well with
- Static form elements (
<form>) - Dynamically generated forms
- AJAX requests (
XHRorXMLHttpRequest) - Static urls (if allowed by configuration rules)
Here is list of our resources you my need to deploy/integrate csrfp in your web application
PS: wiki still under development. Please create a Github issue for any correction.