[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-register-public] [task #6107] Submission of Request Rodeo

From: Justus Winter
Subject: [Savannah-register-public] [task #6107] Submission of Request Rodeo
Date: Wed, 15 Nov 2006 17:58:40 +0000
User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8.1) Gecko/20061024 Firefox/2.0


                 Summary: Submission of Request Rodeo
                 Project: Savannah Administration
            Submitted by: teythoon
            Submitted on: Wednesday 11/15/2006 at 17:58
         Should Start On: Wednesday 11/15/2006 at 00:00
   Should be Finished on: Saturday 11/25/2006 at 00:00
                Category: Project Approval
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Percent Complete: 0%
             Open/Closed: Open
                  Effort: 0.00



A new project has been registered at Savannah 
This project account will remain inactive until a site admin approves or
discards the registration.

= Registration Administration =

While this item will be useful to track the registration process, approving
or discarding the registration must be done using the specific "Group
Administration" page, accessible only to site administrators, effectively
logged as site administrators (superuser):


= Registration Details =

* Name: *Request Rodeo*
* System Name:  *requestrodeo*
* Type: non-GNU software &amp; documentation
* License: GNU General Public License V2 or later


Description: RequestRodeo is a novel concept to protect users of web
applications against Session Riding  (also known as Cross Site Request

RequestRodeo is a http proxy written in Python using the Twisted framework,
OpenSSL and SQLite. It protects its user(s) against an relatively unknown
attack vector, Session Riding. A short introduction to session riding can be
found at Wikipedia[1]. RequestRodeo is to our best knowledge the only project
of its kind.

Up to now, there are just two people working on RequestRodeo, me and Martin
Johns[2], who did most of the research for this project. He gave a talks on
Session Riding and the RequestRodeo in 2006 at the OWASP Europe[3], and will
talk about it at the PacSec[4] conference and the Chaos Communication

A recent svn snapshot can be found at [6] and a scientific paper describing
Session Riding and our RequestRodeo proxy can be found at [7].

There are some benefits gained from using the proxy approach rather than
implementing the protection directly in the web browser, such as browser
independence and ease of deployment (our proxy works with all major
browsers), but there are several drawbacks (we need to track the users
movements to construct a _reliable_ = not browser dependent referrer and we
need to act as an http to https bridge in order to support https).

Our long term plan is to write an extension for Mozilla Seamonkey and Mozilla
Firefox. Work on this has just begun.

We are in need of a development and deployment platform and love to use
Savannah for this purpose.


Other Software Required: Python, OpenSSL, PyOpenSSL, SQLite3, pysqlite2,


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]