Synchronizer Token Pattern

-

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Cross-site Request Forgery (CSRF) protection via Synchronizer Token Patterns

This protection technique is called as Synchronizer Token Pattern. This solution is to ensure that each request requires, in addition to our session cookie, a randomly generated token as an HTTP parameter. When a request is submitted, the server must look up the expected value for the parameter and compare it against the actual value in the request. If the values do not match, the request should fail.

Implementation

User needs to login to the website.
(username “user” password “user”)

Login Page
When user clicked on "Login" button validate the user and In the background a CSRF token will be generated (token.php) using the session id.

token.php

Successful login user will be redirected to the moneyTransfer page (moneyTransfer.php)

moneyTransfer.php
Then execute an ajax call which invokes the "ajaxscriptendpoint.php" for obtain the csrf token created for the session and set it to the hidden text field's value.


User clicked on Send button, form will be submitted and CSRF token will be validated.


If the token is valid shows success message otherwise it gives an error message.

Success Message
Error Message
Source code: https://github.com/sakiladissanayake/SynchronizerTokenPattern

Comments

Post a Comment

Popular posts from this blog

OrientDB Quick Guide

-
OrientDB is an Open Source NoSQL Database Management System, which contains the features of traditional DBMS along with the new features of both Document and Graph DBMS. It is written in Java. It can store 220,000 records per second. OrientDB installation file is available in two editions : Community Edition Enterprise Edition The main feature of OrientDB is to support multi-model objects, it supports different models like Document, Graph, Key/Value and Real Object. It contains a separate API to support all these four models. Document Model OrientDB uses the concepts such as classes, clusters, and link for storing, grouping, and link for storing, grouping, and analyzing the documents. Comparison between relational model, document model, and OrientDB document model. Relational Model Document Model OrientDB Document Model Table Collection Class or Cluster Row Document Document C...
Read more

Cron Expressions

-
Cron expressions are used to configure instances of CronTrigger, a subclass of org.quartz.Trigger. A cron expressions is a string consisting of six or seven subexpressions (fields) that describe individual details of the schedule. These fields, separated by white space, can contain any of the allowed values with various combinations of the allowed characters for that field. Table 1 Cron Expression Allowed Fields and Values Name Required Allowed Values Allowed Special Charaters Seconds Y 0-59 ,-*/ Minutes Y 0-59 ,-*/ Hours Y 0-23 ,-*/ Day of month Y 1-31 ,-*?/LWC Month Y 0-11 or JAN-DEC ,-*/ Day of week Y 1-7 or SUN-SAT ,-*?/LC# Year N Empty or 1970-2099 ,-*/ Example Cron expression can be as simple as * * * * ? * or as complex as 0 0/5 14,18,3-39,52 ? JAN,MAR,SEP MON-FRI 2002-2010 ...
Read more

Double Submit Cookies Pattern

-
Image
Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. Cross-site Request Forgery(CSRF) protection via Double Submit Cookies Patterns. In this technique, we send a random value in both a cookie and as a request param...
Read more