Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
How to prevent CSRF?
Two types of methods below,
- Synchronizer Token Pattern
- Double Submit Cookie Pattern
Synchronizer Token Pattern
Synchronization Token Pattern is a mechanism in which a token is created (a unique and secret) containing a value for every request. This is one time use and is stored in the server memory corresponding to its sever ID. So the attacker is unable to identify the correct token to manipulate the authentication process.
Synchronization Token Pattern is a mechanism in which a token is created (a unique and secret) containing a value for every request. This is one time use and is stored in the server memory corresponding to its sever ID. So the attacker is unable to identify the correct token to manipulate the authentication process.
Working Process
This diagram briefly show working process.
Figure 1 - Diagram
- User sends a GET request to the server
- Server assign a cookie with a session ID and saves session data with the token
- Server responds with form in HTML where the token is in a hidden field.
- User submits the form + the hidden field
- Sever verifies token comparing its session data.
- If they match it means the user is valid.
Implementation
First one is we have to create a web application and host it on our local host (Educational purpose).
Start it on local host and got as index.php. Take the sample project to implement the method
Figure 2 - Login
Login form submits user details in a POST method. With successful login a unique session ID and token is created. Token stored in server side.
This is a simple, As the login credential Enter,
username - admin
password - pass
Figure 3
Figure 3.1 - index.php
Figure 3.2 - style.css
If it is (login) successful it will prompt to the below this page as well, result.php
Then successful login in,I implemented a POST request to update some idea. The POST request contains this generated CSRF token and the session cookie.
Figure 4
Figure 5 - result.php
Figure 5.1 - result.php
Enter some date for submit.
Figure 6
After that user clicks “Submit” button the POST request send to the server. In there the server validates session id that came from the request header and CSRF token in the body. If the CSRF token is valid one server will accept the request and show it to the user.POST request is also used to add data to form. After submitting, the server validates the token details to find a match.
Figure 7
If this validation gets failed, The error will be shown with the message of it will show ''token is not valid'' whereas “Valid request" upon the success.
This is the implementation of home page.
This is the implementation of home page.
Figure 8 - home.php
Then I implemented token.php, csrf_token_generator.php pages & Tokens.txt file in this way.
Figure 9 - token.php
Figure 10 - csrf_token_generator.php
Figure 11 - tokens.txt
Is this method safe?
Attacker fails since the CSRF token retrieved while page loading is not visible to him and it’s not possible to send with the server call even though cookies are able to set. So when an attacker sends us a link that contains post request hidden to update user status but in here attacker not able add the CSRF token to the attaker’s POST request. so the server will ignore the request
------------>>Click here to get sample project on git-hub
------------>>Double Submit Cookies Pattern - Click Here
Hope you got the understanding on how to prevent CSRF using synchronizer token pattern.
No comments:
Post a Comment