Skip to main content

Cross-Site-Request-forgery-protection-in-web-applications-via-Synchroniser-Token-Patterns

What is Cross-site request forgery? 

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.

 Let’s take a look at a concrete example to get a better understanding.
  • Assume that your bank’s website provides a form that allows transferring money from the currently logged in user to another bank account. For example, the HTTP request might look like:
POST /transfer HTTP/1.1
Host: bank.example.com
Cookie: JSESSIONID=randomid; Domain=bank.example.com; Secure; HttpOnly
Content-Type: application/x-www-form-urlencoded
amount=100.00 & routingNumber=1234&account=9876
  • Now pretend you authenticate to your bank’s website and then, without logging out, visit an evil website. The evil website contains an HTML page with the following form:
<form action="https://bank.example.com/transfer" method="post">
<input type="hidden"
 name="amount"
 value="100.00"/>
<input type="hidden"
 name="routingNumber"
 value="evilsRoutingNumber"/>
<input type="hidden"
 name="account"
 value="evilsAccountNumber"/>
<input type="submit"
 value="Win Money!"/>
</form>
You like to win money, so you click on the submit button. In the process, you have unintentionally transferred $100 to a malicious user. This happens because, while the evil website cannot see your cookies, the cookies associated with your bank are still sent along with the request.

How to use protection methods?

CSRF Protection can be implemented in two main ways,

  • Synchronizer Token Patterns
  • Double Submit Cookie Patterns
In this post we are going to show the implementation process of Synchronizer Token Patterns,

You can see a sample project (Github) :- 
https://github.com/MalikDilsh/Cross-Site-Request-forgery-protection-in-web-applications-via-Synchroniser-Token-Patterns

That is an example showing how to implement a Client side and Server Side to face XSS attacks using CSRF token method (Synchronized way)
  • Username : malik
  • Password : malik123
  • Make sure to check the remember me Checkbox

Step 1:

First of all create a index.php (client side). Start a session and create cookie to store session id. (That will also use for validate session id with server side)

Step 2:

Then we need to generate CSRF token and store it in the server side (server.php). Because if the client side was run, we have cookies named "session id" and it containS id of the current session of client.

Step 3:

Next thing we should do is, we have to request to the server when client page is loaded and get the CSRF token stored in the server side. I created a java script function called "loadDOC". It will sends request to server side and grab CSRF token and store it in the hidden DOM field in client side when the page is loaded.


Step 4:

Call loadDOC function in client side.

Step 5:

Then we need to create hidden DOM field to store the CSRF token value. This value should send to server side again when user click to Login Button.


Step 6:

When user click Log In button, all values in the form will transfer to the server side. Next we have to validate those received values in the server side.


Implementation part is over. Let's take a look of project output.


After enter the given username & password you can get a message like this,










Comments

  1. AnonymousApril 5, 2022 at 6:07 PM

    The King Casino | Situs Judi Slot Online Terbaik 2021
    Play choegocasino.com사이트 online Pragmatic Play Slots https://www.communitykhabar.com at casinosites.one The King Casino - Member Baru & Terpercaya https://shootercasino.com/merit-casino/ 2021! Rating: 98% · ‎240,388 https://septcasino.com/review/merit-casino/ votes

    ReplyDelete

Post a Comment

Popular posts from this blog

OAuth 2.0 framework

What is OAuth 2.0? OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices. This informational guide is geared towards application developers, and provides an overview of OAuth 2 roles, authorization grant types, use cases, and flows. This specification and its extensions are being developed within the  IETF OAuth Working Group . How does Social Login work? Social Login is a simple process, with the following steps. The user enters your application and selects the desired social network provider. A login request is send to the social network provider. Once the social network provider confirms the user’s ide...
Post a Comment
Read more

Cross-site-Request-Forgery-protection-in-web-applications-via-Double-Submit-Cookies-Patterns

Implementation of the Double Submit Cookie Pattern is bit similar to the implementation of the Synchronizer Token Pattern. So before reading this post, It is better to read the last post about the "implementation of Synchronizer Token Pattern". The link for the previous post is as fallows https://hyperstella.blogspot.com/2018/05/cross-site-request-forgery-protection.html Double submit cookie pattern does not store the token value in the server side.It store the token value inside the cookie in the client side. In this post we are going to show the implementation process of  Double Submit Cookie Pattern , You can see a sample project (Github) :-  https://github.com/MalikDilsh/Cross-site-Request-Forgery-protection-in-web-applications-via-Double-Submit-Cookies-Patterns Step 1: First of all you have to  Create a web application similar to the Synchronizer Token Pattern. Because the implementation process of the double submit cookie pattern is mostly equal, ther...
1 comment
Read more
 SMSC Gateway Overview An SMS gateway is a platform or service that allows you to send and receive text messages (SMS) using telecommunication networks. It acts as an intermediary between computer systems or applications and mobile network operators, enabling the exchange of SMS messages. Here are some key points about SMS gateways: Functionality: SMS gateways provide the necessary infrastructure and protocols to enable communication between computer systems and mobile networks. They typically offer APIs (Application Programming Interfaces) that developers can use to integrate SMS functionality into their own applications, websites, or systems. Sending SMS: With an SMS gateway, you can send SMS messages programmatically from your own application or system. You need to interact with the gateway's API, providing the recipient's phone number, message content, and other relevant parameters. The gateway then delivers the SMS to the intended recipient through the mobile network. Rece...
Post a Comment
Read more