SYNCHRONIZER TOKEN PATTERN

-


SYNCHRONIZER TOKEN PATTERN is a common method to mitigate (CSRF) attacks. Let's see how it works. In this method csrf token stores in the session. It will be extracted by ajax call and embedded to the client web page the client. When the client making a request from the server, the token also send to the server for validation. Let's make this clear using below diagram.





Let's get clear these steps one by one using this sample Application. (In bellow screens this application runs on localhost and enables SSL and Virtual host test for port 443 you can use any configuration as you prefer (enable SSL is recommended)).


step 1:


User make get a request to test.com
the server returns the login page to the user to enter credentials.





then the user enters his credentials (user: pass) and press login. (Post request with credentials sends to the server.)


Step 2 and 3





Now the user will be validated by Application user will be redirected to account page and Generates a csrf token and stores in session. session id sends back then along with cookie to the user's browser. It will be saved in the user's browser.




using chrome developer tools we can get details about request header. (in above picture header details)




for that request server will response as the following picture.





Step 4



Now assume the user going to remove his account So he presses the deactivate button on web page.
So browser will send post request server. Before that web page sends an ajax call and gets the token from the server. So Post Will send to server with that extracted token.





above image shows the request header with the token.

step 5



now the web Application validates user by comparing token in the session with respond body and also check session for user validation and execute user preferred action (removing account). If token matches server knows this is a valid request by the legitimate user.




php code block that uses in this application to validate the token.



All the steps of procedure have explained now.let's see how the source code looks like.


login.php



Deactivate.php




Ajax request.



Get Complete Project from here with full source code




Why Attacker can do CSRF now?

An attacker may try to make a legitimate request to the Test.com (or another site) from his website, attacker.com.But now the Ajax request is executed from a different domain. (not in test.com domain it's from attacker .com (Disscussed in this post-:-CSRF-forgery), So cross-domain Ajax requests are discured by the server so, Ajax script will unable to extract the token.) .Without CSRF token Test.com will reject the state change operation that makes by the attacker.




Comments

Post a Comment

Popular posts from this blog

OAUTH 2

-
Image
OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices. This informational guide is geared towards application developers and provides an overview of OAuth 2 roles, authorization grant types, use cases, and flows. Let's get started with OAuth Roles! OAuth Roles OAuth defines four roles: Resource Owner Client Resource Server Authorization Server We will detail each role in the following subsections. Resource Owner:  User The resource owner is the  user  who authorizes an  application  to access their account. The application's access to the user's account is limited to the "scope" of t...
Read more

DOUBLE SUBMIT COOKIE PATTERN

-
Image
This is also a common method to mitigate (CSRF) attacks. Let's see how it works. In SYNCHRONIZER token pattern method csrf token can be stored in the session. but for a large number of users, it may cause to be a problem so DOUBLE SUBMIT COOKIE PATTERN is can be considered an alternative solution for this problem. In this case, csrf token is not stored in the server side. It will be sent to the client via a cookie. When the client making a request from the server, the client fetches the token and send to the server for validation. Let's make this clear using below diagram. Let's get clear these steps one by one using this sample Application. (In bellow screens this application runs on localhost and enables SSL and Virtual host test for port 443 you can use any configuration as you prefer (enable SSL is recommended)). Step 1:- User make get a request to test.com the server returns the login page to th...
Read more