Skip to content

POC in order to materialize CSRF prevention concepts described in the following OWASP CSRF cheatsheet

Notifications You must be signed in to change notification settings

joyboyid/poc-csrf

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Objective

This project is a prototype in order to materialize CSRF prevention concepts described in the following OWASP cheatsheet:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Precisely the following concepts:

  • Verifying same origin with standard headers
  • CSRF specific defense:
    • Double submit cookie (stateless)
    • Leverage SameSite cookie attribute

The POC will focus on stateless approach, i.e. no use of Session for CSRF token storage, because the following project, OWASP CSRFGuard, cover the stateful approach:

https://github.com/aramrami/OWASP-CSRFGuard

All classes are fully documented.

The project is developed with Maven under IntelliJ IDEA.

A web page propose to send manual request in parallel of automated requests sending in order to show all parallel exchanges and CSRF tokens parallel handling.

Demo

Demo

Demo

Note about the SameSite cookie attribute

Source from https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00:

"These attribute are intended to provide a solid layer of defense-in-depth against attacks which require embedding an authenticated request into an attacker-controlled context."

Unfortunately, for the moment, only Chrome based browser supports this attribute:

http://caniuse.com/#feat=same-site-cookie-attribute

There a very good description of this attribute here:

https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/

Build or Run

Add the following line to your hosts file:

# Local domain
127.0.0.1 local.net

Run the following command to create a WAR archive:

mvn clean package

Run the following command to run the prototype (it will exposed on http://local.net:9090):

mvn tomcat7:run-war

TODO

  • Auto deploy POC on cloud provider

Main references

About

POC in order to materialize CSRF prevention concepts described in the following OWASP CSRF cheatsheet

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Java 74.4%
  • JavaScript 17.7%
  • HTML 7.9%