index.xhtml

   1 <?xml version="1.0" encoding="UTF-8"?>
   2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   3     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   4 <html
   5   xmlns="http://www.w3.org/1999/xhtml"
   6   xmlns:xi="http://www.w3.org/2001/XInclude"
   7   xmlns:xc="urn:xhtml-compiler"
   8   xmlns:news="urn:xhtml-compiler:News"
   9   xml:lang="en">
  10 <head>
  11 <title>csrf-magic: Wizard CSRF Protection for PHP</title>
  12 <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
  13 <link rel="alternate" type="application/rss+xml" title="News - csrf-magic" href="news.rss" />
  14 <meta name="description"
  15   content="Drop-in PHP library that automagically adds CSRF protection to an application." />
  16 <meta name="keywords"
  17   content="library, security, open source, csrf, cross-site request forgery, protection" />
  18 </head>
  19 <body>
  20 <h1 id="title" title="Yah, I know the vignette kinda sucks. Any graphic designers want to step up?">csrf-magic</h1>
  21 <div id="body">
  22 <div id="content">
  23 <p>
  24   Securing your application against Cross-Site Request Forgery has never been
  25   easier.  Why rewrite every form on your website when a program can do it for
  26   you?  Simply drop this at the top of every PHP file:
  27 </p>
  28 <pre><code>require_once '/path/to/csrf-magic.php';
  29 </code></pre>
  30 <p>
  31   ...and let the magic take care of the rest.
  32   <a href="releases/csrf-magic-1.0.4.tar.gz">Download it now</a>!
  33   Or try out <a href="dev/test.php">the demo</a>.
  34 </p>
  35
  36 <h2>News</h2>
  37 <div class="news" news:source="news" news:limit="1" news:header="h3" />
  38
  39 <h2>What is CSRF?</h2>
  40 <p>
  41 Cross-Site Request Forgery (CSRF) is a relatively new attack vector on
  42 websites today.  It involves an attacker tricking a browser into performing
  43 an action on another website.  Imagine this scenario: Bob,
  44 the human resources manager
  45 for a large and important company, has the ability to hire and fire with
  46 a click of a button. Specifically, a web form button.  Mallory, as a practical
  47 joke, decides to stage a CSRF attack against Bob.  She baits Bob with
  48 a webpage that automatically submits a form to the hire'n'fire website.
  49 The next morning, every employee finds a pink slip in his inbox.
  50 </p>
  51
  52 <h2>Why csrf-magic?</h2>
  53 <p>
  54 The current standard for preventing CSRF is creating a nonce that every user
  55 submits with any form he/she submits.  This is reasonably effective, but
  56 incredibly tedious work; if you are hand-writing your forms or have multiple
  57 avenues for POST data to enter your application, adding CSRF protection may not
  58 seem worth the trouble.
  59 </p>
  60
  61 <p>
  62 This is where csrf-magic comes into play.  csrf-magic uses PHP's output
  63 buffering capabilities to dynamically rewrite forms and scripts in your document.
  64 It will also intercept POST requests and check their token (various algorithms
  65 are used; some generate nonces, some generate user-specific tokens).  This means,
  66 for a traditional website with forms, you can drop csrf-magic into your application
  67 and forget about it!
  68 </p>
  69
  70 <h2>External links</h2>
  71 <ul>
  72   <li><a href="http://repo.or.cz/w/csrf-magic.git">repo.or.cz</a>, the location
  73     of our Git source code repository. Bleeding edge development builds can be
  74     found here. They are also
  75     <a href="http://git.htmlpurifier.org/csrf-magic.git">mirrored here</a>.</li>
  76   <li><a href="http://code.google.com/p/csrfx/">CSRFx</a>, a similar
  77     library with similar goals. They haven't made a release yet, but the code
  78     in the repository is working.
  79   </li>
  80   <li><a href="http://code.djangoproject.com/browser/django/trunk/django/contrib/csrf/middleware.py">Django CSRF Middleware</a>,
  81     an extension for the Python web framework that has the same basic ideas
  82     as ours for rewriting output.
  83   </li>
  84   <li><a href="http://directwebremoting.org/">Direct Web Remoting</a>, a JavaScript/Java
  85     framework that features
  86     <a href="http://directwebremoting.org/blog/joe/2007/01/01/csrf_attacks_or_how_to_avoid_exposing_your_gmail_contacts.html">AJAX
  87     rewriting for CSRF protection</a>.
  88   </li>
  89   <li><a href="http://htmlpurifier.org/">HTML Purifier</a>, a standards-compliant
  90     XSS filter. If your site is vulnerable to XSS, the best CSRF protection in the
  91     world won't save you.
  92   </li>
  93 </ul>
  94
  95 </div>
  96 </div>
  97
  98 </body>
  99 </html>