CSRF - Double Submit Cookie

By -

Cross-site Request Forgery protection in web application


Double Submit Cookie

  • Send Random Value in both Cookie and request
  • Server Verify matching of Cookie Value and Requested Value

About Application

  • Java Based Web application which has simple hard coded login page
  • User login to the application with user name "asd" and pssword "123"

Login


  • Upon login, generate session identifier and set a cookie in the browser. At the same time, generate the CSRF token for the session and set a cookie in the browser. The CSRF token value is not stored in the server side.

Store as a Cookie
Generate Token

Generated Token Value

Cookie In Browser
  • The webpage that has a HTML form. The method is POST. When the HTML form is loaded, run a javascript which reads the CSRF token cookie value in the browser and add a hidden field to the HTML form modifying the DOM. 

Script
  • When the form is submitted to the action, the CSRF token cookie will be submitted and also in the form body, the CSRF token value will be submitted.In the web page that accepts the form submission (the URL of the action), obtain the CSRF token received in the cookie and also in the message body. Compare the two values received and if they match, show success message. If not show error message

Validation

Token in Message Body

Success





Comments

Post a Comment

Popular posts from this blog

cannot find java exe neither null jre bin java exe nor null bin java exe exists(iReport)

By -
Image
cannot find java exe neither null jre bin java exe nor null bin java exe exists When I was studying in my university,we have to do certain projects based on our Subjects. Therefore for the first year and second year projects we did desktop applications for Vehicle Management and Hardware management.For the improvement of the our client or the business it is a must to use certain report .It is a fast replacement comparing to the manual reports.We used Java language for those developments and NetBeans 8.1  latest IDE. For the reports we used iReport 5.6.0. But encountered with the above error even though we installed the latest versions of JDK 1.8.It was kind of a blocker for our development.But finally we overcome that problem and successfully completed the project. This might help you First I have to install NetBeans IDE. Check whether your JDK version is 1.7  If it is not then download JDK 1.7 ,JRE 1.7 and install.The link is below http://www.oracle.com/technetwork/jav
Read more

Google Drive API (oauth 2.0) Upload Files Java

By -
Image
Upload Files Java Google Drive Create Credentials Follow previous : Create Credentials Add Dependencies to Maven Project 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 <!-- https://mvnrepository.com/artifact/com.google.apis/google-api-services-drive --> <dependency> <groupId> com.google.apis </groupId> <artifactId> google-api-services-drive </artifactId> <version> v3-rev105-1.23.0 </version> </dependency> <!-- https://mvnrepository.com/artifact/com.google.api-client/google-api-client --> <dependency> <groupId> com.google.api-client </groupId> <artifactId> google-api-client </artifactId> <version> 1.23.0 </version> </dependency> <!-- https://mvnrepository.com/artifact/com.google.oauth-client/google-oauth-client-jetty --> <dependency> <
Read more