CSRF - Double Submit Cookie
Cross-site Request Forgery protection in web application
Double Submit Cookie
- Send Random Value in both Cookie and request
- Server Verify matching of Cookie Value and Requested Value
About Application
- Java Based Web application which has simple hard coded login page
- User login to the application with user name "asd" and pssword "123"
| Store as a Cookie |
Generate Token
|
- The webpage that has a HTML form. The method is POST. When the HTML form is loaded, run a javascript which reads the CSRF token cookie value in the browser and add a hidden field to the HTML form modifying the DOM.
| Script |
- When the form is submitted to the action, the CSRF token cookie will be submitted and also in the form body, the CSRF token value will be submitted.In the web page that accepts the form submission (the URL of the action), obtain the CSRF token received in the cookie and also in the message body. Compare the two values received and if they match, show success message. If not show error message
| Validation |
| Token in Message Body |
| Success |
GitHub : CSRF_DoubleSubmitCookiePattern
References
[3] js_cookies

Comments
Post a Comment