Synchronizer Token Pattern

Let’s meet Synchronizer Token Pattern



In this post let’s discuss about using a synchronizer token pattern to prevent CSRF (CSRF meaning Cross-site request forgery.). Synchronizer token pattern (STP) is a technique where a token, secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side.
Then the token is generated by the server with ensuring the uniqueness. In here server generates token per every session. In that case the attacker is unable to place a correct token in their requests to authenticate them.

Why STP?


A third party attacker cannot perform a CSRF attack, because cross domain AJAX calls are not possible. This means, the victim is in banker.com, and attacker.com cannot request the CSRF token from the server via an ajax, because the domain doesn’t match each other, and cross domain ajax calls are not possible as I mentioned before.

Let’s understand Synchronizer token pattern with a flow diagram.


1.     User sends GET request to a server.
2.     Server sets the cookie with session_id, and saving session data with the token
3.     Server returns HTML with a form containing token in a hidden field.
4.     User submits form, along with a hidden field.

5.     Server compares token from the submitted form (hidden field) with the token saved in the session storage. If they match, it means that form is submitted by a user. 


Advantages:


·       Simple to implement.

·       Works with AJAX.

·       Works with forms.
·       Cookie can actually be HTTP Only.

Disadvantages: 


·       All forms must output the hidden field in HTML.

·       Any AJAX POSTs must also include the value.
·       The page must know in advance that it requires the CSRF token so it can include it in the page content so all pages must contain the token value somewhere, which could make it time consuming to implement for a large site.

Example Implementation



STEP 1 - Login UI


You need to model simple its index.html this is the main page of the app. this is my index.html



This login form submits user credentials using a POST method. if the user is authenticated successfully, a unique Session-Id and the CSRF token will be created along with this session and at the same time generated session id set as a cookie in the browser.




STEP 2 - When user click log in data will send to server side (home.php) and authenticate user.  then only if user authenticated client browser will create a new cookie with current session id and relevant information.




STEP 3 - same time sever will be generate CSRF token in server.php and store it on memory.


now we are successfully start the session and generates the CSRF token in server side.

STEP 4 - Now we needs to implement function to get CSRF token from server side(server.php) when need to make request to the sever. for that we need to use Ajax with javascript bellow figure show what i implemented to do it.




This "loadDOC" function will get the CSRF token from server.php and store it in hidden field in the user submission form for submit to the server.


STEP 5 - Now we need to do is calling the loadDOC function for get the CSRF and store it in hidden field.



STEP 6 -  Next when the user submit the form , server needs to check this is coming from correct user or not, for that we implement function to compare received CSRF and own CSRF. if request coming from correct user both CSRFa are same.  


In above figure i implemented the separate function for check whether both CSRFs are same if so it will redirect to "success page"



if not it will redirect to "failed page"



thats it we have successfully implemented the CSRF syncronizer token Pattern to our web application.


How we can say the method is safe?

Let’s says an attacker send us a link that contains post request hidden to update user status but attacker not able add the CSRF token to the attaker’s POST request. so the server will ignore the request.

In my next blog post, I will be discussing how Double Submit Cookie pattern is used to prevent from the CSRF attack. link

Conclusion

The Synchronizer token pattern techniques described in this story are viable and worth a thought for any application that contains useful data.



Comments