T-Tech

What is OAuth 2.0?  OAuth 2.0 is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it’s OK for ABC.com/application to access your profile or post updates to your timeline without having to give ABC.com your Facebook password. This minimizes risk in a major way: In the event ABC.com suffers a breach, your Facebook password remains safe . This is known as secure, third-party, user-agent, delegated authorization. How it works?  Let's get started with  OAuth Roles  👀 Resource Owner -  the user who authorizes an application to access their account. Client - the application that wants to access the user's account. Resource Server -  hosts the protected user accounts. Authorization Server -  verifies the identity of the user then issues access tokens to the application. There are five types of grants specified in the OAuth 2.0 s...

In  previous blog post, what CSRF is and how to preventing CSRF using  Synchronizer Token Pattern are discussed.  This blog post will discuss how to use Double Submit Cookie Pattern to prevent from CSRF attacks.   How Double Submit Cookie Pattern works? When a user authenticates to a site, the site should generate a (cryptographically strong) pseudo-random value and set it as a cookie on the user’s machine separate from the session ID. The server does not have to save this value in any way, that's why this pattern is also called Stateless CSRF Defense . The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy.     Let's modify the previously built NodeJS application to demonstrate this 1. Handle /login POST Request. Once the u...

What is CSRF?  Cross-Site Request Forgery  (CSRF) is an  attack occurs when an attacker is able to create forged HTTP requests and trick the victim into making those requests via image tags, XSS, and many other ways. When the user makes these malicious requests and is authenticated with the application, the attack can be even more devastating. The attacker is able to get the user to perform state changing operations that the user is authorized to do in the application such as updating account details, making purchases, transferring money, and even deleting the account. Essentially, the attacker takes advantage of the website’s trust in the user. How CSRF works? CSRF will only work if the potential victim is authenticated.Using a CSRF attack an attacker can bypass the authentication process to enter a web application. When a victim with additional privileges performs actions that are not accessible to everyone, which is when CSRF attacks are utilized. Such as onli...