CSRF Token-Synchronizer Token Patterns

-

Cross-site Request Forgery Protection in web applications via Synchronizer Token Patterns

What is Cross-site Request Forgery Protection(CSRF)?

This is a kind of attack and type of a malicious exploit of a website. We also name this attack as the one-click attack or session riding. This forces an end user to execute unwanted actions on a web application in which they're currently authenticated. This attack is mainly focusing on state-changing request, not theft data.


As an example, if the user 'A' wants to transfer the 200$ to the bank 'B'.He needs to send a request to the bank 'B' and bank will send the response by authenticating user 'A'.There is an attacker he/she needs to fraud this money form user 'A'.what the attacker can do is he will create a malicious web link and send it to the user by forcing to click that link . while the user clicks the link for the transferring purpose but the thing is attacker was transferring the money to his account. To avoid such kind of stateful attacks we need to enable CSRF protection in our web pages.

What is Synchronizer token pattern?

Synchronizer token pattern (STP) is a technique where a token, secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side. The token may be generated by any method that ensures unpredictability and uniqueness (e.g. using a hash chain of random seed). The attacker is thus unable to place a correct token in their requests to authenticate them.

In this blog post, we are going present how to mitigate such kind of attack by enabling CSRF token validation.

We have a simple login page to provide username and password which is checked with the hardcoded values. Once the authenticated user login to the system it will create a session and also generate the CSRF token on the server side. When login successful, token will be stored in a hidden field on the web page. After authenticating his or her identity to the website user wants to continue his or her activity by submitting whatever the action. At this time stored token in the hidden field will check with stored CSRF token value in server side. If the stored token value in the hidden field wrong the system will redirect to the login page by avoiding your response. Otherwise, it will continue the process by assuming an authenticated user has logged in to that session.

Let's see this source code....

  • Front End - Angular CLI
  • Back End - Node JS

  • This is the login component we create it as for our login page. You can enter your username and password. If the entered values are correct it will redirect to the profile component.

  • Send username and password to the backend using a POST request.  If the response is success get the CSRF token and save in a cookie. If server failed to authenticate the user display an error message.
  • In the server side validate the username and password, if it valid create a token save the token in a list. Then server will send the token to the frontend.
  • After successfully login to the system user will redirect to the profile page. When the profile page load, get the token and save in a hidden field. By saving the token in a hidden filed attackers can not get the token.
  • After save the token in a hidden filed, Client can request the token value and send it with all state changing operations in the HTTP body of the message.
  • In server side get the token in request body and validate. If it valid do the action else send a error message to frontend.


Here is the link to clone source code through the GitHub

https://github.com/ShalithaM/Synchronizer_Token_Pattern.git












Comments

Post a Comment

Popular posts from this blog

Cloud Computing

-
Image
Cloud Computing What is Cloud Computing In the simplest terms, cloud computing means storing and accessing data and programs over the Internet instead of your computer's hard drive. The cloud is just a metaphor for the Internet. It goes back to the days of flowcharts and presentations that would represent the gigantic server-farm infrastructure of the Internet as nothing but a puffy, white cumulus cloud, accepting connections and doling out information as it floats. Usage of Cloud Computing 1. Infrastructure as a service (IaaS) and platform as a service (PaaS)   When it comes to IaaS, using an existing infrastructure on a pay-per-use scheme seems to be an obvious choice for companies saving on the cost of investing to acquire, manage and maintain an IT infrastructure. There are also instances where organizations turn to PaaS for the same reasons while also seeking to increase the speed of development on a ready-to-use platform to deploy applications. 2. Priva...
Read more

Angular Material

-
Image
What is AngularJS Material? AngularJS Material is both a UI Component framework and a reference implementation of Google's Material Design Specification. Step 1: Install Angular Material npm install --save @angular/material Step 2: Animations Some Material components depend on the Angular animations module in order to be able to do more advanced transitions. If you want these animations to work in your app, you have to install the @angular/animations module and include the BrowserAnimationsModule in your app. npm install --save @angular/animations import {BrowserAnimationsModule} from '@angular/platform-browser/animations';  @NgModule({  ...  imports: [BrowserAnimationsModule],  ...  })  export class PizzaPartyAppModule { } If you don't want to add another dependency to your project, you can use the NoopAnimationsModule. import {NoopAnimationsModule} from '@angular/platform-browser/animations';  @NgModule({ ...
Read more