RequestRodeo

Client side protection against Session Riding also known as {C,X}SRF - Cross Site Request Forgery


The Proxy

Introduction

RequestRodeo is a HTTP proxy written in Python using the Twisted framework, OpenSSL and SQLite. It protects its user(s) against an relatively unknown attack vector, Session Riding. A short introduction to session riding can be found in the Wikipedia article on Session riding. RequestRodeo is to our best knowledge the only project of its kind.

Documentation

http://www.informatik.uni-hamburg.de/SVS/papers/2006_owasp_RequestRodeo.pdf
A paper describing our project (by Martin Johns).

Credits

The initial version of the RequestRodeo-Proxy was developed as part of the secologic-project.

The Mozilla Extension

Introduction

Implementing Request Rodeo as HTTP proxy has several drawbacks, so the long term goal is to implement the same functionality within the browser.

Status

Development just started, if you are interested in contributing to a young extension, join us!

Limitations and known problems

CVS Snapshots

Hourly build snapshots from the CVS repository are available here .


Getting the source

Request Rodeo is released under the terms of the GNU GPL. You can get the source via anonymous CVS or browse the CVS using your browser.

See http://savannah.nongnu.org/cvs/?group=requestrodeo for details.

Development

Our project is hosted at nongnu.org, take a look at our project page for more infrastructure.

http://savannah.nongnu.org/projects/requestrodeo/


Justus Winter
Last modified: Mon Jan 22 18:54:24 CET 2007