Preventing CSRF Using Synchronizer Token Pattern

What is CSRF? 

Cross-Site Request Forgery (CSRF) is an attack occurs when an attacker is able to create forged HTTP requests and trick the victim into making those requests via image tags, XSS, and many other ways. When the user makes these malicious requests and is authenticated with the application, the attack can be even more devastating. The attacker is able to get the user to perform state changing operations that the user is authorized to do in the application such as updating account details, making purchases, transferring money, and even deleting the account. Essentially, the attacker takes advantage of the website’s trust in the user.

How CSRF works?

CSRF will only work if the potential victim is authenticated.Using a CSRF attack an attacker can bypass the authentication process to enter a web application. When a victim with additional privileges performs actions that are not accessible to everyone, which is when CSRF attacks are utilized. Such as online banking scenarios.

There are two main parts to execute a Cross-Site Request Forgery (CSRF) attack.

  1. The first part is to trick the victim into clicking a link or loading up a page. This is normally done through social engineering. By using social engineering methods attacker will lure the user to click the link.

  2. The second part is to send a “forged” or made up request to the victim’s browser. This link will send a legitimate-looking request to the web application. The request will be sent with the values that the attacker wants. Apart from them, this request will include any cookies that the victim has associated with that website.

An example of CSRF Attack:

A CSRF attack works as follows. While accessing the bank account, the user simultaneously browses some other web sites. One of the site ‘www.somesite.com’, contains a hidden form and a piece of JavaScript. As soon as the user visits the webpage, the browser silently submit the hidden form to ‘fictitiousbank.com’. The format and content of the request is exactly the same as the request triggered by the user clicking the submit button in the “pay bill” form provided by the bank. On sending the request, the user’s browser automatically attaches the authentication cookies to the request. Since the session is still active in the server, the request will be processed by the server as issued by user.


How to prevent CSRF attacks?

1. Using Synchronizer Token Pattern  

Synchronizer Token Pattern is a very simple concept to mitigate the risk of being attacked through CSRF. It is a technique where a token, secret and unique value for each request is embedded by the web application in all HTML forms and verifies on the server side.

When a request is made to the server to change data, the server code will read and validate the token’s origin. If the server cannot read the token, it is likely that the token was not issued by the server and the request should not be processed.
The token could be generated using any method which ensures the uniqueness (either by using hash chain of random seed) and because of this the attacker will not be able to place a token in their requests to authenticate them.

Let's build a NodeJS application to demonstrate this 

   1. Initialize a NodeJS application.


   2. Setup session in application.


   3. Create login page.

It consists of a simple form that submits the values to /login through a POST call. Then, we will implement the POST /login endpoint to receive these values.

   4. Handle /login POST Request.

Here we have used hard coded user credentials for demonstration. Once the user is successfully authenticated, we set a unique value as csrf token in session in server side.

 Once you logged in, you observe the following cookie being added to your browser. 


   5. Create submission form page.


In Synchronizer Token pattern, simply submitting the session ID with the username is not sufficient. CSRF token should be provided as well. Therefore, in here, there is an AJAX call to the /token endpoint for obtaining the CSRF token created for the session and it will be embedded into a hidden field in the form.

 You can observe this element from the browser. 

This is invisible to the user. When the user submits the form, this value is submitted as well.

Now, let’s implement the /message endpoint which receives the POST request.

   6. Handle /message POST request.

Upon receiving the request, the session's CSRF token and the request's CSRF token are compared to validate the request and the message submission will be completed if the provided values are correct.

So, in this scenario, even if an attacker can provoke the user to complete some action and send an unintended request to the server, although the cookies are sent, the CSRF token is not present. Therefore, the submission will not be completed, hence preventing CSRF.

Upon receiving the request, the session's CSRF token and the request's CSRF token are compared to validate the request and the message submission will be completed if the provided values are correct.


References

   1. owasp.org

   2. Implement Synchronizer Token Pattern using Spring Boot

______________________________________________________________

Tip: Understand the concept well. Then you will be able to develop better applications.:octocat::zap:

Comments

Post a Comment

Popular posts from this blog

Preventing CSRF Using Double Submit Cookie Pattern

Image
In  previous blog post, what CSRF is and how to preventing CSRF using  Synchronizer Token Pattern are discussed.  This blog post will discuss how to use Double Submit Cookie Pattern to prevent from CSRF attacks.   How Double Submit Cookie Pattern works? When a user authenticates to a site, the site should generate a (cryptographically strong) pseudo-random value and set it as a cookie on the user’s machine separate from the session ID. The server does not have to save this value in any way, that's why this pattern is also called Stateless CSRF Defense . The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy.     Let's modify the previously built NodeJS application to demonstrate this 1. Handle /login POST Request. Once the u...
Read more

Code Coverage Using Clover

Image
What is Code Coverage? Code Coverage is the percentage of code which is covered by automated tests. Let's Get Started Code Coverage with Clover Clover is an industry-leading code coverage tool which allows us to easily measure the coverage of the unit tests, enabling targeted work in unit testing — resulting in stability and enhanced quality code with maximal efficiency of effort. It is an open source product from Atlassian. It has the server edition as well as desktop edition which is available as plugins for Eclipse and IDEA. Clover's Ant and Maven integrations allow coverage measurement to be performed in Automated Build and Continuous Integration systems, and reports generated to be shared by the team. Download and Configure Clover-for-Eclipse Download Clover-for-Eclipse from the Clover downloads page. Select from the menu " Help > Install New Software ... " Click " Add... ", next click " Archive... " and point to the...
Read more