Synchronizer Token Pattern
Let’s meet Synchronizer Token Pattern
In this post let’s discuss about using a synchronizer
token pattern to prevent CSRF (CSRF meaning Cross-site request
forgery.). Synchronizer token pattern (STP) is a technique where a token,
secret and unique value for each request, is embedded by the web application in
all HTML forms and verified on the server side.
Then the token is generated by the server with
ensuring the uniqueness. In here server generates token per every session.
In that case the attacker is unable to place a correct token in their requests
to authenticate them.
Why STP?
A third party attacker cannot perform a CSRF attack,
because cross domain AJAX calls are not possible. This means, the victim is in
banker.com, and attacker.com cannot request the CSRF token from the server via an
ajax, because the domain doesn’t match each other, and cross domain ajax calls
are not possible as I mentioned before.
Let’s understand Synchronizer token pattern with a
flow diagram.
1.
User sends GET request to
a server.
2.
Server sets the cookie
with session_id, and saving session data with the token
3.
Server returns HTML with
a form containing token in a hidden field.
4.
User submits form, along
with a hidden field.
Advantages:
·
Simple to implement.
·
Works with AJAX.
·
Works with forms.
· Cookie can actually be HTTP Only.
Disadvantages:
·
All forms must output the
hidden field in HTML.
·
Any AJAX POSTs must also
include the value.
·
The page must know in
advance that it requires the CSRF token so it can include it in the page
content so all pages must contain the token value somewhere, which could
make it time consuming to implement for a large site.
Example Implementation
STEP 1 - Login UI
You need to model simple its index.html this is the main page
of the app. this is my index.html
This login form submits
user credentials using a POST method. if the user is authenticated
successfully, a unique Session-Id and the CSRF token will be created along with
this session and at the same time generated session id set as a cookie in the
browser.
STEP 2 - When user click log in data will send to server side
(home.php) and authenticate user. then only if user authenticated
client browser will create a new cookie with current session id and relevant
information.
STEP 3 - same time sever will be generate CSRF
token in server.php and store it on memory.
now we are successfully start the session and generates the CSRF token in server side.
STEP 4 - Now we needs to implement function to get CSRF token from
server side(server.php) when need to make request to the sever. for that we
need to use Ajax with javascript bellow figure show what i implemented to
do it.
This "loadDOC" function will get the CSRF token
from server.php and store it in hidden field in the user submission form for
submit to the server.
STEP 5 - Now we need to do is calling the loadDOC
function for get the CSRF and store it in hidden field.
STEP 6 - Next when the user submit the form , server needs to check this is coming from correct user or not, for that we implement function to compare received CSRF and own CSRF. if request coming from correct user both CSRFa are same.
In above figure i implemented the separate function for check whether both CSRFs are same if so it will redirect to "success page"
if not it will redirect to "failed page"
thats it we have successfully implemented the CSRF syncronizer token Pattern to our web application.
How we can say the method is safe?
Let’s says an attacker send us a link that contains post
request hidden to update user status but attacker not able add the CSRF token
to the attaker’s POST request. so the server will ignore the request.
The source link of the example: https://github.com/NaveenWimalaveera/synchronizer-token-pattern-csrf
In my next blog post, I will be discussing how Double
Submit Cookie pattern is used to prevent from
the CSRF attack. link
Conclusion
The Synchronizer token pattern techniques described in this
story are viable and worth a thought for any application that contains useful
data.
Comments
Post a Comment