OWASP CSRFGuard: Understanding and Preventing Cross-Site Request Forgery

Explore the intricacies of Cross-Site Request Forgery (CSRF) and learn how to effectively prevent it using OWASP CSRFGuard in this comprehensive conference talk. Delve into classic examples and recent CSRF attacks, understand the implications of relaxing the Same-Origin Policy, and examine the role of CORS in web security. Discover techniques for identifying CSRF vulnerabilities, including real-world attack payloads and methods for searching for exploits. Gain insights into prevention strategies, with a focus on the game-changing SameSite attribute and its impact on CSRF protection. Examine the CSRF Guard flow and explore new features in version 4.x, including JSP Tag support. Conclude with practical recommendations and learn how to automate CSRF detection using nuclei templates. Equip yourself with the knowledge to safeguard web applications against CSRF attacks and implement robust security measures.

Intro
What is Cross-Site Request Forgery
The classic example
More recent CSRF Attack
Relaxing the SOP (1)
Anything else? Yes, ofCORS!
When it's safe to fly?
CORS Server side headers
Real world CSRF attack payloads
Searching for CSRF exploits
Searching for recent CSRF exploits
How to prevent it?
SameSite - the game changer
So when would you need CSRF Guaru..
CSRF Guard flow (2)
What's new in CSRF Guard 4.x
CSRF Guard JSP Tag support
Conclusions and recommendations
Automation with nuclei templates
Nuclei detect CSRFGuard defaults
References