The Encrypted Token Pattern CSRF Defence
18 views
Skip to first unread message
Owen Pendlebury
Jun 18, 2015, 3:02:42 PM6/18/15
to owasp-pro...@owasp.org
The Encrypted Token Pattern CSRF Defence
Blurb
The Encrypted Token Pattern is a defence mechanism against Cross Site Request Forgery (CSRF)
attacks, and is an alternative to its sister-patterns; Synchroniser Token, and Double Submit Cookie.
This article discusses the merits and means of implementing this defence mechanism in web-based
applications.
Brief Description
The Encrypted Token Pattern leverages a single token, as opposed to dual tokens, and offers a more
narrow scope of failure than alternative CSRF protection patterns.
Leveraging the Encrypted Token Pattern
The Advanced Resilient Mode of Recognition (ARMOR) is a C# implementation of the Encrypted
Token Pattern, available on GitHub under the MIT license that provides a means of protecting
ASP.NET applications from CSRF attacks, by leveraging the Encrypted Token Pattern. A Java
equivalent of ARMOR is under construction and will be available soon.
ARMOR
ARMOR is a framework composed of interconnecting components exposed through custom web-
handlers. ARMOR is essentially an advanced encryption and hashing mechanism, leveraging the
Rijndael encryption standard, and SHA256 hashing by default.
Creator Bio
http://insidethecpu.com/about/
Blurb
The Encrypted Token Pattern is a defence mechanism against Cross Site Request Forgery (CSRF)
attacks, and is an alternative to its sister-patterns; Synchroniser Token, and Double Submit Cookie.
This article discusses the merits and means of implementing this defence mechanism in web-based
applications.
Brief Description
The Encrypted Token Pattern leverages a single token, as opposed to dual tokens, and offers a more
narrow scope of failure than alternative CSRF protection patterns.
Leveraging the Encrypted Token Pattern
The Advanced Resilient Mode of Recognition (ARMOR) is a C# implementation of the Encrypted
Token Pattern, available on GitHub under the MIT license that provides a means of protecting
ASP.NET applications from CSRF attacks, by leveraging the Encrypted Token Pattern. A Java
equivalent of ARMOR is under construction and will be available soon.
ARMOR
ARMOR is a framework composed of interconnecting components exposed through custom web-
handlers. ARMOR is essentially an advanced encryption and hashing mechanism, leveraging the
Rijndael encryption standard, and SHA256 hashing by default.
Creator Bio
http://insidethecpu.com/about/
johanna curiel
Feb 11, 2016, 2:33:30 PM2/11/16
to OWASP PROJECT IDEAS, Claudia Casanovas
Hi Owen
Are you still interested to kick off this potential project?
Please let us know, we rare trying to revive the project ideas into a pool of project and resources
You can set your idea into a wiki page under the project idea category using this template:
If you need assistance let us know
Cheers
Johanna
Owen Pendlebury
Feb 11, 2016, 2:35:42 PM2/11/16
to johanna curiel, OWASP PROJECT IDEAS, Claudia Casanovas
Hi Johanna,
--
Owen Pendlebury
OWASP Ireland-Dublin Chapter Lead
This project was actually from a member of the Dublin chapter who was interested in making his project an owasp project.
If you don't mind I can forward this mail on to him?
Owen
--
You received this message because you are subscribed to the Google Groups "OWASP PROJECT IDEAS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-project-i...@owasp.org.
To post to this group, send email to owasp-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/owasp-project-ideas/ed2e6d63-c28e-4a71-9bd4-e15107bf4b46%40owasp.org.
--
Owen Pendlebury
OWASP Ireland-Dublin Chapter Lead
johanna curiel curiel
Feb 11, 2016, 2:38:51 PM2/11/16
to Owen Pendlebury, OWASP PROJECT IDEAS, Claudia Casanovas
Sure please :) and thank you for helping promoting us.
Cheers
Johanna
Owen Pendlebury
Feb 11, 2016, 2:40:04 PM2/11/16
to johanna curiel curiel, OWASP PROJECT IDEAS, Claudia Casanovas
Ah always ;)
PS thanks for both your work on the projects, much appreciated
Owen Pendlebury
OWASP Ireland-Dublin Chapter LeadReply all
Reply to author
Forward
0 new messages