CSRF Protection

Cross-Site Request Forgery (CSRF) is an attack that takes advantage of users who are already authenticated in a web application by making them perform unwanted actions in that application. An attacker can trick the users of a web application by sending a link via email which executes a hidden action. CSRF attacks are not useful for data theft, since it targets state-changing requests meaning the attacker cannot see the response of the forged request. But the attacker make the victim unknowingly perform various actions like changing their login information, transferring funds etc. How does it work? To explain how a CSRF attack is carried out, let us take a look at a simple example. Bob wants to transfer Rs.7000 to Alice through HNB bank's online transaction portal. To do so Bob authenticates to the bank's website using his credentials. Eve is the attacker in this scenario and she plans on using a CSRF attack to get money transacted to her from Bob. To do this successf...

This blog post will be explaining about how Double Submit Cookie Pattern (DSCP) can be used to prevent CSRF attacks. What is Double Submit Cookie Pattern? Similar to Synchronizer token Pattern this also uses a random token value, but unlike in Synchronizer Token Pattern where the token is saved in the server side, Double Submit Cookie Pattern does not save the token. Instead, it sets the CSRF token as a cookie and retrieves this cookie value and inserts it into a hidden field in each HTML form sent to the client. When the form is submitted, the submitted token value is compared with the cookie token, and if they are the same, the form is allowed to submit.  Because of this random value, an attacker will not be able to place a correct token in their forged request, thus making them unable to perform CSRF attacks.  How does it work? To explain how Double Submit Cookie Patterns work, let us take a look at the following example (Source code can be obtained ...

This blog post will be explaining about how Synchronizer Token Pattern can be used to prevent CSRF attacks. What is Synchronizer Token Pattern? Synchronizer Token Pattern (STP) is a technique that uses a token (unique secret value) for each request. This token is embedded in all HTML forms and verified on the server side. Because of this random value, an attacker will not be able to place a correct token in their forged request, thus making them unable to perform CSRF attacks. How does it work? To explain how Synchronizer token patterns work, let us take a look at the following example (Source code can be obtained here ). STP example web application Upon running the web application, we are greeted to a login page, we login using the hardcoded credentials: Username : user Password : csrf1 Before continuing with the flow let us take a look at the token class implemented as shown below: Token class and its methods As shown above, the token class has three...