CSRF PROTECTION: SYNCHRONIZER TOKEN PATTERN

CSRF PROTECTION: SYNCHRONIZER TOKEN PATTERN

Cross-Site Request Forgery (CSRF) is an attack that enables or forces an user access unwanted websites of web application by accessing unwanted actions, which there users may be authenticated. CSRF attack takes place specially on target state-changing requests, such as transferring funds, changing their email address etc. Here the attacker may force or trick the user into executing actions of the attacker's choosing of web application.

PREVENTION OF CSRF

To prevent these kind of attacks, there are most notably two specification of famous techniques, such as
  • Synchronizer Token Pattern
  • Double Submit Cookies Pattern
But in this post we are only going to look about Synchronizer Token Pattern and the way of prevention. In the next chapter, we'll look about Double Submit Cookies Pattern.

SYNCHRONIZER TOKEN PATTERN

It is a prevention technique, that disables CSRF attacks. More meaningfully, works by embedding additional authentication data into requests that allows the web application to detect requests from unauthorized locations.

Where it stores a secret unique key or value within the request of an action of web application in all kind of HTML forms and verified on the server side. Which the token can be generated using an unique function: examples of Hash function or SHA-256 encryption ( There are many other complex hash function and encryption available ).

How prevention of Synchronizer Token Pattern (STP) Works ?

To make use of the demonstration, you can download it from the following link : https://github.com/suga95/CSRF_Synchronizer_Token_Pattern.git

Prerequisite needs : XAMPP Server

  • Place the downloaded Software Under installed folder, which is xampp -> htdocs and paste the downloaded app.
  • Run the XAMPP's Apache Server.

  • Can run the application by calling the URL: localhost://CSRF Synchronizer Token Pattern/userLogin.php  -> This can be called in any respective browser


  • Can login to the system by providing SUGA and 1234 as Username and Password Respectively.
  • After loging in, the system will display the UI like below screenshot.

  • You can enter the relevant details in the input fields and press submit button. And and view the page's source code using "Inspect Element" option from your respective browser. Here you can see that there is a hidden field having the CSRF token value embedded on it.


  • Like shown on above screenshot, we haven't modified anything there in the CSRF token field, the page redirects us to the success page.
  • So if the CSRF field is modified by any chance, the system will show the UI like below page after submission.

  • The screen shot shown below is when the CSRF token is changed.

Lets look at how we get these kind of protection

  1. First the user is asked to login to the system by providing his/hers user credentials.
  2. Upon successful login, the system will redirect to the user registration page, where the user should provide relevant details in the form.
  3. Upon logging in, the system will create a session and set in the browser using set cookie.
  4. CSRF token is generated using Cryptography secure code, which the token is saved in the server side as "CSRf_token_FILE.txt".
  5. During the loading of the above page, generated CSRF token value and session id is also formed in the hidden fields of registration form when redirected.
  6. In that, the server will read the session cookie based on the session id and posts the csrf token value for further processing.
  7. When posting, the posted token and the value stored in the server side, that is Stored CSRF token value with session id is validated, which both the posted and stored CSRF value should be equal, if so it will show the success message else it will show the CSRF attack forgery page.

Full structure of the System

userLogin.php


UserRegister.php

genCSRF.php


checkCSRFToken.php

csrf_token_validation.php


csrf_token_file.txt



Comments

Post a Comment

Popular posts from this blog

OAuth 2.0 Using Social Login :Facebook

Image
OAuth 2.0 Framework: Social Login With Facebook Simple definition for OAuth 2.0 framework is that any Standard Web Applications can be Authenticated and Authorized enabling it to  obtain limited access to an HTTP service. Where this happens either of on behalf of the owner who have the resources (Resource Owner) or getting approval of resource owner to get the HTTP Service or making the the third-party app to get the resources. HOW TO USE OAUTH 2.0 FRAMEWORK Initially, the developer should have a base idea of how to create a Facebook application accessing https://developers.facebook.com/ and its related tutorials like Retrieving User Resources from Facebook over the OAuth 2.0 Authorization Code Grant Type For to gain more idea and demonstration purposes, I have implemented two applications, in order gain idea by the developer. To get started with, the resources or files can be downloaded from this following GIT HUB links : https://github.com/suga95/OAuthFBSocia...
Read more

Double Submit Cookies Pattern

Image
CSRF PROTECTION: DOUBLE SUBMIT COOKIES PATTERN Cross-Site Request Forgery (CSRF) is an attack that enables or forces an user access unwanted websites of web application by accessing unwanted actions, which there users may be authenticated. CSRF attack takes place specially on t arget state-changing requests, such as  transferring funds, changing their email address etc.  Here the attacker may force or trick the user into executing actions of the attacker's choosing of web application. PREVENTION OF CSRF To prevent these kind of attacks, there are most notably two specification of famous techniques, such as Synchronizer Token Pattern Double Submit Cookies Pattern But in this post we are only going to look about Double Submit Cookies Pattern and the way of prevention.  DOUBLE SUBMIT COOKIES PATTERN As regards with synchronizer token pattern, it stores the generated CSRF token value in the server-side and uses that to validate and check if the CSRF token...
Read more