Posts

Showing posts from 2018

RESTful API

Image
RESTful APIs are application programming interfaces (API) that adhere to architectural style of REST architectural pattern and it is used to HTTP requests to GET, PUT, POST and DELETE data. RESTful API has the following features: Those are the guiding constraints which define a RESTful system. Client–server - The client handles the front end the server handles the backend and can both be replaced independently of each other. Stateless - No client data is stored on the server between requests and session state is stored on the client. Cacheable - Clients can cache response (just like browsers caching static elements of a web page) to improve performance. Uniform Interface - The key to the decoupling client from server is having a uniform interface that allows independent evolution of the application without having the application’s services, or models and actions, tightly coupled to the API layer itself. Layered System - REST APIs have different layers of their a...

Cross-Site Request Forgery protection in web applications via Double Submit Cookies Patterns

Image
Double submission of cookies is another well-known method to block CSRF. Similar to using unique tokens, random tokens are assigned to both a cookie and a request parameter. In double-submitted cookie pattern, two cookies (for the session and for the CSRF token) are stored in the browser. This pattern is also called as Stateless CSRF Defense since the server site does not have to save this value in any way, thus avoiding server side state. In our previous method, we stored CSRF token values on the server side (text file). But here we don't do it. When a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session id. The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin...

Cross-Site Request Forgery protection in web applications via Synchronizer Token Patterns

Image
A number of effective methods exist for prevention of  CSRF (Cross-Site Request Forgery)  attacks. For web applications, multiple solutions exist to block malicious traffic and prevent attacks.  Among the most common mitigation methods is to generate unique random tokens for every session request or ID. Synchronizer Token Success Synchronizer Token Failure Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks. Characteristics of a CSRF Token: Unique per user session Large random value Generated by a cryptographically secure random number generator The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs via a GET. The server checks and verifies the token before respond to any client request. Further, the server rejects the requested action if the CSRF token fails validation. Session requests having either duplicate tokens or missing values are bl...

Cross Site Request Forgery (CSRF)

Image
What is CSRF? Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.  The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context w ith a little help of social engineering (such as sending a link via email or chat) .  CSFR Example In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser without knowledge of the target user, at least until the unauthorized transaction has been committed.  If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring fu...