Get rid of CSRF: Synchronized Token Pattern
Preventing CSRF Vulnerabilities
In my previous article I have discussed how CSRF attacks happen. This write up will take you through some effective methods of preventing them and how the implementation can be done in order to address all the cases.
Even though security experts propose many CSRF prevention mechanisms, most of them are difficult to implement in all types of applications or they are ineffective in some scenarios. Therefore, two main prevention mechanisms are defined, which are Synchronized Token Pattern and Double Submit Cookie method. First, we’ll step deep into the most popular Synchronized Token Pattern (STP) method.
Synchronized Token Pattern
In this method, a CSRF token which is associated with a particular user is used and sent as a hidden value in every state-changing form request in the web application and it is validated in server side.
How it works
After a successful login, server generates a session ID and a random string in server side which is called CSRF token. Then it saves CSRF token along with the session ID in server side. When the client makes a state changing request, client side passes the session ID and request the CSRF token from server side using AJAX call. After receiving the token from server’s end, client appends it to the form as a hidden field and submits the form.
Server compares the token received from client side with the token which was saved in server side. If they match, server states that the submission is valid.
What is with AJAX?
AJAX allows web pages to be updated asynchronously which means it is possible to update part of the web page without reloading the whole page. The most interesting thing in AJAX is, it only works with the same domain.
This means if the attacker is in xyz.com domain, and the victim is in abc.com, the attacker is unable to request the CSRF token from the server via AJAX call because the domain does not match.
Implementation
You can obtain the source code of this sample web application here.
First we need to log into the application by providing username and the password. The credentials are hard coded as followed.
Username: admin
Password: admin
POST method is used to submit user credentials, and if the user is authenticated, server generates the session ID and CSRF token and saves them in server’s end. At the same time, generated session ID is set as a cookie in the browser using setcookie() function.
Stored session ID and token is written in saved_tokens.txt file.
Form submission directs to home.php which contains post request submission to update a status.
The AJAX call is sent to the server to generate the CSRF token. openssl_random_pseudo_bytes(32) function is used to generate CSRF token and it is encoded using base64 in order to make it more secured.
User’s status update request contains the generated CSRF token. The server validates both session ID and the CSRF token submitted through body with the saved values in the server.
If the token matches, server states the request as a valid.
With that the whole scenario of Synchronized Token Pattern, I will wrap up the article and hope to see you soon with the next CSRF prevention mechanism, Double Submit Cookie method.
