[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-register-public] [task #6107] Submission of Request Rodeo
|
From: |
Justus Winter |
|
Subject: |
[Savannah-register-public] [task #6107] Submission of Request Rodeo |
|
Date: |
Wed, 15 Nov 2006 17:58:40 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8.1) Gecko/20061024 Firefox/2.0 |
URL:
<http://savannah.nongnu.org/task/?6107>
Summary: Submission of Request Rodeo
Project: Savannah Administration
Submitted by: teythoon
Submitted on: Wednesday 11/15/2006 at 17:58
Should Start On: Wednesday 11/15/2006 at 00:00
Should be Finished on: Saturday 11/25/2006 at 00:00
Category: Project Approval
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Percent Complete: 0%
Open/Closed: Open
Effort: 0.00
_______________________________________________________
Details:
A new project has been registered at Savannah
This project account will remain inactive until a site admin approves or
discards the registration.
= Registration Administration =
While this item will be useful to track the registration process, approving
or discarding the registration must be done using the specific "Group
Administration" page, accessible only to site administrators, effectively
logged as site administrators (superuser):
<https://savannah.nongnu.org/siteadmin/groupedit.php?group_id=8921>
= Registration Details =
* Name: *Request Rodeo*
* System Name: *requestrodeo*
* Type: non-GNU software & documentation
* License: GNU General Public License V2 or later
----
Description: RequestRodeo is a novel concept to protect users of web
applications against Session Riding (also known as Cross Site Request
Forgery).
RequestRodeo is a http proxy written in Python using the Twisted framework,
OpenSSL and SQLite. It protects its user(s) against an relatively unknown
attack vector, Session Riding. A short introduction to session riding can be
found at Wikipedia[1]. RequestRodeo is to our best knowledge the only project
of its kind.
Up to now, there are just two people working on RequestRodeo, me and Martin
Johns[2], who did most of the research for this project. He gave a talks on
Session Riding and the RequestRodeo in 2006 at the OWASP Europe[3], and will
talk about it at the PacSec[4] conference and the Chaos Communication
Congress[5].
A recent svn snapshot can be found at [6] and a scientific paper describing
Session Riding and our RequestRodeo proxy can be found at [7].
There are some benefits gained from using the proxy approach rather than
implementing the protection directly in the web browser, such as browser
independence and ease of deployment (our proxy works with all major
browsers), but there are several drawbacks (we need to track the users
movements to construct a _reliable_ = not browser dependent referrer and we
need to act as an http to https bridge in order to support https).
Our long term plan is to write an extension for Mozilla Seamonkey and Mozilla
Firefox. Work on this has just begun.
We are in need of a development and deployment platform and love to use
Savannah for this purpose.
1: http://en.wikipedia.org/wiki/Session_riding
2: http://www.informatik.uni-hamburg.de/SVS/personnel/martin/index.php
3: http://www.owasp.org/index.php/Main_Page
4: http://pacsec.jp/
5: http://events.ccc.de/congress/2006/Home
6: http://winter.gotdns.org/pub/
7:
http://www.informatik.uni-hamburg.de/SVS/papers/2006_owasp_RequestRodeo.pdf
Other Software Required: Python, OpenSSL, PyOpenSSL, SQLite3, pysqlite2,
twisted
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/task/?6107>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [Savannah-register-public] [task #6107] Submission of Request Rodeo,
Justus Winter <=