Sanjeewa Blog

Cross-site Request Forgery protection in web application Double Submit Cookie Send Random Value in both Cookie and request Server Verify matching of Cookie Value and Requested Value About Application Java Based Web application which has simple hard coded login page User login to the application with user name "asd" and pssword "123" Login Upon login, generate session identifier and set a cookie in the browser. At the same time, generate the CSRF token for the session and set a cookie in the browser. The CSRF token value is not stored in the server side. Store as a Cookie Generate Token Generated Token Value Cookie In Browser The webpage that has a HTML form. The method is POST. When the HTML form is loaded, run a javascript which reads the CSRF token cookie value in the browser and add a hidden field to the HTML form modifying the DOM.  Script When the form is submitted to the action,

Cross-site Request Forgery protection in web application Synchronizer Token Pattern State Changing Operations Requires Secure Random Token to prevent CSRF Attacks. Characteristics Unique per user session Large Random Value Generated By Cryptographically secure random number generator The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs The Server rejects if CSRF token validation Fails About Application Java Based Web application which has simple hard coded login page User login to the application with user name "asd" and pssword "123" LoginForm Upon successful login session id generates and store as a cookie in browser Store Cookie Session Cookie At the same time Generates CSRF token and store in server side Generate CSRF Token Generated CSRF Token Method GenerateCSRFToken Method GenerateCSRFToken The End Point Acc

Cross-Site Request Forgery ( CSRF) What is CSRF? Cross-Site Request Forgery (CSRF) is an attack that focuses an end user to execute harmful actions on web application. The user should be authenticated user. Attacker can trick user to visit attacker’s domain. Then using CSRF attack, attacker can force user to perform state changing requests. For example, change email, bank details Example :Changing users email User loges in to web application (exmple.com)   hosted on attacker.com User visits attacker’s domain.: Attacker domain(attacker.com) The attacker tricks user’s browser into sending request that changes users email in the web application hosted on the domain example.com . When the request is sent to the domain example.com , The users authentication cookie appended to the outgoing cross site request .In this way web application knows whose email should be changed. Next the request is processed by the web application hosted on the domain example.