RequestRodeo

Client side protection against Session Riding also known as {C,X}SRF - Cross Site Request Forgery

The Proxy

Introduction

RequestRodeo is a HTTP proxy written in Python using the Twisted framework, OpenSSL and SQLite. It protects its user(s) against an relatively unknown attack vector, Session Riding. A short introduction to session riding can be found in the Wikipedia article on Session riding. RequestRodeo is to our best knowledge the only project of its kind.

Documentation

http://www.informatik.uni-hamburg.de/SVS/papers/2006_owasp_RequestRodeo.pdf

A paper describing our project (by Martin Johns).

The Mozilla Extension

Introduction

Implementing Request Rodeo as HTTP proxy has several drawbacks, so the long term goal is to implement the same functionality within the browser.

Status

Development just started, if you are interested in contributing to a young extension, join us!

• Cookies are removed from requests if the target host differs from the referring host.
• Requests to 'local' resources are canceled if they originate in an 'extern' resource.

Limitations and known problems

• HTTP Authentication is not removed.
• Client side SSL Authentication is not removed.
• Requests are not entitled if they are entered in the address bar or if they originate from your bookmarks.
• Referrerless requests to local resources are forbidden (this includes requests entered in the URL bar)

CVS Snapshots

Hourly build snapshots from the CVS repository are available here .

Getting the source

Request Rodeo is released under the terms of the GNU GPL. You can get the source via anonymous CVS or browse the CVS using your browser.

See http://savannah.nongnu.org/cvs/?group=requestrodeo for details.

Development

Our project is hosted at nongnu.org, take a look at our project page for more infrastructure.

http://savannah.nongnu.org/projects/requestrodeo/