CSRF - Synchronizer Token Pattern

By -

Cross-site Request Forgery protection in web application


Synchronizer Token Pattern

State Changing Operations Requires Secure Random Token to prevent CSRF Attacks.

Characteristics

  • Unique per user session
  • Large Random Value
  • Generated By Cryptographically secure random number generator
  • The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs
  • The Server rejects if CSRF token validation Fails

About Application

  • Java Based Web application which has simple hard coded login page
  • User login to the application with user name "asd" and pssword "123"

LoginForm
  • Upon successful login session id generates and store as a cookie in browser

Store Cookie
Session Cookie
  • At the same time Generates CSRF token and store in server side


Generate CSRF Token
Generated CSRF Token


Method GenerateCSRFToken

Method GenerateCSRFToken


  • The End Point Accepts the HTTP POST requests and respond with the CSRF token.The endpoint receives the session cookie and based on the session identifier, return the CSRF token value



  • There is another HTML Form which invokes the endpoint for obtaining the CSRF token created for the session via JavaScript an Method is POST.Once the page is loaded, modify the HTML form’s document object model (DOM) and add a new hidden field that has the value of the received CSRF token.
Script
From




    • Once the HTML form is submitted to the action, in the server side, extract the received CSRF token value and check if it is the correct token issued for the particular session. If the received CSRF token is valid, show success message. If not show error message.
    Extracted Token

    Success Message


    References










    Comments

    Post a Comment

    Popular posts from this blog

    cannot find java exe neither null jre bin java exe nor null bin java exe exists(iReport)

    By -
    Image
    cannot find java exe neither null jre bin java exe nor null bin java exe exists When I was studying in my university,we have to do certain projects based on our Subjects. Therefore for the first year and second year projects we did desktop applications for Vehicle Management and Hardware management.For the improvement of the our client or the business it is a must to use certain report .It is a fast replacement comparing to the manual reports.We used Java language for those developments and NetBeans 8.1  latest IDE. For the reports we used iReport 5.6.0. But encountered with the above error even though we installed the latest versions of JDK 1.8.It was kind of a blocker for our development.But finally we overcome that problem and successfully completed the project. This might help you First I have to install NetBeans IDE. Check whether your JDK version is 1.7  If it is not then download JDK 1.7 ,JRE 1.7 and install.The link is below http://www.oracle.com/technetwork/jav
    Read more

    Google Drive API (oauth 2.0) Upload Files Java

    By -
    Image
    Upload Files Java Google Drive Create Credentials Follow previous : Create Credentials Add Dependencies to Maven Project 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 <!-- https://mvnrepository.com/artifact/com.google.apis/google-api-services-drive --> <dependency> <groupId> com.google.apis </groupId> <artifactId> google-api-services-drive </artifactId> <version> v3-rev105-1.23.0 </version> </dependency> <!-- https://mvnrepository.com/artifact/com.google.api-client/google-api-client --> <dependency> <groupId> com.google.api-client </groupId> <artifactId> google-api-client </artifactId> <version> 1.23.0 </version> </dependency> <!-- https://mvnrepository.com/artifact/com.google.oauth-client/google-oauth-client-jetty --> <dependency> <
    Read more

    CSRF - Double Submit Cookie

    By -
    Image
    Cross-site Request Forgery protection in web application Double Submit Cookie Send Random Value in both Cookie and request Server Verify matching of Cookie Value and Requested Value About Application Java Based Web application which has simple hard coded login page User login to the application with user name "asd" and pssword "123" Login Upon login, generate session identifier and set a cookie in the browser. At the same time, generate the CSRF token for the session and set a cookie in the browser. The CSRF token value is not stored in the server side. Store as a Cookie Generate Token Generated Token Value Cookie In Browser The webpage that has a HTML form. The method is POST. When the HTML form is loaded, run a javascript which reads the CSRF token cookie value in the browser and add a hidden field to the HTML form modifying the DOM.  Script When the form is submitted to the action,
    Read more