This project is a prototype in order to materialize CSRF prevention concepts described in the following OWASP cheatsheet:
Precisely the following concepts:
- Verifying same origin with standard headers
- CSRF specific defense:
- Double submit cookie (stateless)
- Leverage SameSite cookie attribute
The POC will focus on stateless approach, i.e. no use of Session for CSRF token storage, because the following project, OWASP CSRFGuard, cover the stateful approach:
All classes are fully documented.
The project is developed with Maven under IntelliJ IDEA.
A web page propose to send manual request in parallel of automated requests sending in order to show all parallel exchanges and CSRF tokens parallel handling.
Note about the SameSite cookie attribute
"These attribute are intended to provide a solid layer of defense-in-depth against attacks which require embedding an authenticated request into an attacker-controlled context."
Unfortunately, for the moment, only Chrome based browser supports this attribute:
There a very good description of this attribute here:
Build or Run
Add the following line to your hosts file:
# Local domain 127.0.0.1 local.net
Run the following command to create a WAR archive:
mvn clean package
Run the following command to run the prototype (it will exposed on http://local.net:9090):
- Auto deploy POC on cloud provider
- Origin HTTP header - https://wiki.mozilla.org/Security/Origin
- Description of the SameSite attribute - https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/
- SameSite attribute specification - https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
- SameSite attribute supports - http://caniuse.com/#feat=same-site-cookie-attribute