Preventing CSRF Using Double Submit Cookie Pattern

In previous blog post, what CSRF is and how to preventing CSRF using Synchronizer Token Pattern are discussed. This blog post will discuss how to use Double Submit Cookie Pattern to prevent from CSRF attacks. 

How Double Submit Cookie Pattern works?

When a user authenticates to a site, the site should generate a (cryptographically strong) pseudo-random value and set it as a cookie on the user’s machine separate from the session ID. The server does not have to save this value in any way, that's why this pattern is also called Stateless CSRF Defense.

The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy.  

Let's modify the previously built NodeJS application to demonstrate this

1. Handle /login POST Request.

Once the user is authenticated, a cookie containing csrf token will be create in the user's browser and it is set to httpOnly to make it readable by javascript.

 

2. Create submission form page.

A client-side script will retrieve csrf token value and inject it to a hidden field on the form loading to be submitted along with the form.  


3. Handle /message POST request.

Upon receiving the request, the cookie's CSRF token and the request's CSRF token are compared to validate the request and the message submission will be completed if the provided values are correct.


GitHub URL: https://github.com/TharinduMPerera/DoubleSubmitCookiesPattern


 ______________________________________________________________

Tip: Understand the concept well. Then you will be able to develop better applications.:octocat::zap:


Comments

Post a Comment

Popular posts from this blog

Preventing CSRF Using Synchronizer Token Pattern

Image
What is CSRF?  Cross-Site Request Forgery  (CSRF) is an  attack occurs when an attacker is able to create forged HTTP requests and trick the victim into making those requests via image tags, XSS, and many other ways. When the user makes these malicious requests and is authenticated with the application, the attack can be even more devastating. The attacker is able to get the user to perform state changing operations that the user is authorized to do in the application such as updating account details, making purchases, transferring money, and even deleting the account. Essentially, the attacker takes advantage of the website’s trust in the user. How CSRF works? CSRF will only work if the potential victim is authenticated.Using a CSRF attack an attacker can bypass the authentication process to enter a web application. When a victim with additional privileges performs actions that are not accessible to everyone, which is when CSRF attacks are utilized. Such as onli...
Read more

Code Coverage Using Clover

Image
What is Code Coverage? Code Coverage is the percentage of code which is covered by automated tests. Let's Get Started Code Coverage with Clover Clover is an industry-leading code coverage tool which allows us to easily measure the coverage of the unit tests, enabling targeted work in unit testing — resulting in stability and enhanced quality code with maximal efficiency of effort. It is an open source product from Atlassian. It has the server edition as well as desktop edition which is available as plugins for Eclipse and IDEA. Clover's Ant and Maven integrations allow coverage measurement to be performed in Automated Build and Continuous Integration systems, and reports generated to be shared by the team. Download and Configure Clover-for-Eclipse Download Clover-for-Eclipse from the Clover downloads page. Select from the menu " Help > Install New Software ... " Click " Add... ", next click " Archive... " and point to the...
Read more