Synchronizer Token Pattern
Cross Site Request Forgery (CSRF) is one of the most common and threatening web attacks in the cybercrime world. Other most common attacks are Cross Site Scripting attacks, SQL Injection attacks, File Path Traversal attacks, Distributed Denial of Service (DDoS) attacks, etc. CSRF is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated.
In this blog post, I’m gonna be explaining one of the methods that are used to overcome this problem and how to implement such a solution in a web application.
Synchronizer token pattern (STP) is a technique where a token, secret, and a unique value for each request, is embedded by the web application in all HTML forms and verified on the server-side.
Let me simplify this for you,
- User logs into the website using valid credentials.
- Server creates a session for the user.
- User requests a CSRF token to perform an action.
- Then the server generates a random token value and stores it with the user’s session ID.
- Server sends the CSRF token value to the user.
- In the client’s side, the received token value is added to a hidden field.
- User requests to perform some action by providing previously received CSRF token value.
- Server then checks the received value with the previously stored token value.
- If they are matching, the server will respond with a success message. If not, with an error message.
Below I have provided some screenshots of my web application and some important parts of the code.
A random token value is generated per each session
After a legitimate user logs into this simple dashboard, the user gets two options. It is either to delete the account or logout. Deleting an account is a critical activity, therefore the server needs to verify that the request has come from that particular user.
In the dashboard page, an AJAX call will be sent to another page called ‘CSRF.php’ to generate a random token for the delete account action. When the AJAX call receives the token, it will add that token value to a hidden field in the form.
In the ‘CSRF.php’ page, it generates a token and then maps that token to the session ID cookie which was created in the ‘validate_login.php’ page.
Once the user hits the ‘DELETE ACCOUNT’ button it will be redirected to the ‘deleteAcc.php’ page.
In here, the previously mapped token value and the session id get split and the token value which is the ‘csrf’ value in this screenshot is compared against the ‘CSRF’ value which was added to the hidden field in previous(dashboard.php) step. If the all are matching and there are no errors, it prompts a message saying that the account was deleted.
And if we add ‘1234’ to the end of the hidden value(token) in the ‘dashboard.php’ like in below,
It will prompt an error message.
Source code here — https://github.com/kushanjanith/Synchronizer-Token-Pattern
