Cross-Site Request Forgery protection in web applications via Synchronizer Token Patterns

A number of effective methods exist for prevention of CSRF (Cross-Site Request Forgery) attacks. For web applications, multiple solutions exist to block malicious traffic and prevent attacks. Among the most common mitigation methods is to generate unique random tokens for every session request or ID.
Synchronizer Token Success

Synchronizer Token Failure

 Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks.

Characteristics of a CSRF Token:

  • Unique per user session
  • Large random value
  • Generated by a cryptographically secure random number generator

The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs via a GET.

The server checks and verifies the token before respond to any client request. Further, the server rejects the requested action if the CSRF token fails validation. Session requests having either duplicate tokens or missing values are blocked. Alternatively, a request that doesn’t match its session ID token is prevented from reaching an application.


In order to facilitate a "transparent but visible" CSRF solution, developers are encouraged to adopt the Synchronizer Token Pattern.
This blog post will discuss how to use Synchronizer Token Patterns to protect our own website against Cross-Site Request Forgery.

Example:

We have a simple login page to provide username and password which is checked with the hardcoded values.
If the login credentials are wrong it will shows an error message. When login is successful, a session will be created and the session id will be used to map with the CSRF token that will be generated along with the session creation.
Then the user redirects to a web page that allows the user to update a post. When this page loads with the help of AJAX, generated CSRF token value will be added to a hidden field in the HTML form.
Once the user updates a post CSRF token will be validated. If it is valid user will see the post he updated.
In here we store CSFR token values on the server side (since we run our project in localhost we store it in a .txt file).


This is the file structure and you can clone it from the GitHub and run it on localhost.

There are 5 .php files and one. txt file.









Login Page

You can enter your username and password in this form.











index.php


This is the index.php file we create it as for our login page.

















When the form is submitted user will be redirected to the home.php page.

home.php








If the login credentials are wrong it will show an error message.

 If the login is successful, a successful message will be displayed.

Upon login, a new session will be created and session identifier will be set as a cookie in the browser.
At the same time, a CSRF token will be generated and stored it in the server side (here we save it in a text file).



As you can see Ajax is used to call the csrf_token_generator.php file to get the generated CSRF token value and put it inside the hidden textfield in the HTML form.

















csrf_token_generator.php

This php file generates the csrf token. Also, it sets a browser cookie with the value of session_id. After that CSRF token value will be stored in a text file called Tokens.txt along with its session_id.











openssl_randon_pseudo_bytes() is used to generate the 32bit long csrf token. In order to use this function, you have to have openssl installed. Otherwise it will give you an error. The generated value then converted into its base64 value using base64_encode () function in order to make it more secure.

In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires.

Updated_post.php


Once the form in home.php is submitted user will be redirected to this page.
















This will act as an endpoint that accepts HTTP POST requests and respond with the CSRF token. The endpoint receives the session cookie and based on the session identifier, return the CSRF token value.

Once the HTML form is submitted to the action, in the server side, extract the received CSRF token value in the hidden text field and check if it is the correct token issued for the particular session.
This is where checkToken function gets called. Obtained session cookie and the corresponding CSRF token for the session will be send as parameters. If the returned value of the function is true, the user can view his/her updated post.



token.php

This php file has checkToken function which gets two parameters (CSRF token and session id) and return true if the given parameters match with the values that are stored inside the text file.















CSFR_Tokens.txt

However, that this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server. Regardless of the approach taken, developers are encouraged to protect the CSRF token the same way they protect authenticated session identifiers, such as the use of TLS.






Comments

Post a Comment

Popular posts from this blog

Introduction to Encryption

Image
What is Encryption? Encryption is like sending secret messages between parties; if someone tries to pry without the proper keys, they won't be able to understand the message. In other words, it is the process of locking up information using cryptography (Cryptography is both the practice and the study of hiding information.) Definition:  ‘ The Process of converting plain text into cipher text, something that appears to be random and meaningless ’ is called as the encryption. Process of converting cipher text back into original text is called as decryption . Terminology Original message is called as plain text/clear text.   Encrypted message is called as cipher text/encrypted text.  A Key which is a secret like a password which is used to encrypt and decrypt information.  Ciphers are the specific algorithms which are used to encrypt and decrypt data. A cipher is series of well-defined steps that can be followed as a procedure to encrypt and decrypt m
Read more

Cross-Site Request Forgery protection in web applications via Double Submit Cookies Patterns

Image
Double submission of cookies is another well-known method to block CSRF. Similar to using unique tokens, random tokens are assigned to both a cookie and a request parameter. In double-submitted cookie pattern, two cookies (for the session and for the CSRF token) are stored in the browser. This pattern is also called as Stateless CSRF Defense since the server site does not have to save this value in any way, thus avoiding server side state. In our previous method, we stored CSRF token values on the server side (text file). But here we don't do it. When a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session id. The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin
Read more

How to do a Phishing attack on Facebook?

Image
This is a Step by step tutorial to make an undetectable Facebook phishing site. Step 1: Download page source Go to https://www.facebook.com Right click on the blank area -> Click Save As When dialog box appears select ‘Webpage, complete’ as Save as type -> Click Save Step 2: Edit “Facebook - Log In or Sign Up.html” file and rename it. Open ‘Facebook - Log In or Sign Up.html’ file with notepad or Dreamweaver. Remove all the ajax codes. (You can download HTML file which removed all ajax codes form here https://github.com/nimeshikaranasinghe/Facebook-Phisihing.git   ) Search for login action (Press Ctrl + F -> type ‘ action= ’ -> Click Find Next) Replace the highlighted part (as in the following screenshot) with getDetails.php Save the file as index.html Step 3: Create getDetails.php Open a notepad. Type the following code <?php             $username = $_POS
Read more