This project is a prototype in order to materialize CSRF prevention concepts described in the following OWASP cheatsheet:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Precisely the following concepts:

• Verifying same origin with standard headers
• CSRF specific defense:
  • Double submit cookie (stateless)
  • Leverage SameSite cookie attribute

The POC will focus on stateless approach, i.e. no use of Session for CSRF token storage, because the following project, OWASP CSRFGuard, cover the stateful approach:

https://github.com/aramrami/OWASP-CSRFGuard

All classes are fully documented.

The project is developed with Maven under IntelliJ IDEA.

A web page propose to send manual request in parallel of automated requests sending in order to show all parallel exchanges and CSRF tokens parallel handling.

Source from https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00:

"These attribute are intended to provide a solid layer of defense-in-depth against attacks which require embedding an authenticated request into an attacker-controlled context."

Unfortunately, for the moment, only Chrome based browser supports this attribute:

http://caniuse.com/#feat=same-site-cookie-attribute

There a very good description of this attribute here:

https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/

Add the following line to your hosts file:

# Local domain
127.0.0.1 local.net

Run the following command to create a WAR archive:

mvn clean package

Run the following command to run the prototype (it will exposed on http://local.net:9090):

mvn tomcat7:run-war

• Auto deploy POC on cloud provider

• Origin HTTP header - https://wiki.mozilla.org/Security/Origin
• Description of the SameSite attribute - https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/
• SameSite attribute specification - https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
• SameSite attribute supports - http://caniuse.com/#feat=same-site-cookie-attribute