Cross-Site Request Forgery (CSRF) Mitigation — Synchronizer Token Pattern
What is CSRF Attack..?
A Cross-Site Request Forgery is also known as CSRF, one-click attack or session riding. This is a sort of assault whereby web site with noxious aim will send a request to a web application that a client is already confirmed for. These requests are directed to the target site which the user is validated for through their browser because their browser is authenticated against the site. This will permit the attacker to get to the usefulness of the web application through the victim’s already verified browser.
How it Works..
CSRF attack surfaces are often HTTP requests that cause a victim-related change, for example: name, email address, website, and even password. Sometimes it is also used to change the authentication status. This is mainly dependent on if the target web application’s user is still logged into the web application through his browser.
For example, if a user visited an online banking website which had CSRF vulnerabilities and remained logged in, and another website he visits has a CRSF attack on that banking site, the attack would be executed as if he had done it himself. Now that malicious web site could get advantages from that online banking website. such as transferring money to another account and steal all money on his account.
These attacks are mostly used against web applications which deal with social media, in-browser email clients and online banking. It can result in damaged client relationships, unauthorized money transfers, changed passwords and data theft including stolen session cookies
Identifying the CSRF Vulnerability..
The easiest way to identify if a web application would suffer from a CSRF attack is checking if each form and link has an unexpected and unpredictable token attached to each user.
Methods of CSRF Prevention and Mitigation..
There are lot of methods for prevention and mitigation these attacks. Prevention is a matter of safeguarding login credentials and denying unauthorized actors’ access to applications. To do that we can follow these things.
• Logging off web applications when not in use
• Securing usernames and passwords
• Do not allowing browsers to remember passwords and usernames
For web applications, the most common mitigation method is Synchronizer Token Pattern. It generates unique tokens for every session request or ID. These are checked and verified by the server. Session requests having either duplicate tokens or missing values are blocked. Then, a request that doesn’t match its session ID token is prevented from reaching an application.
What is a CSRF Token..?
Synchronizer Token Pattern is an approach where a unique token or a value is generated by server-side application for every session. It is Embedded as a hidden area in HTML types which will be validated with the aid of the server and authorize the request that should be completed. An attacker cannot read or regulate cookie values due to the fact of the same-origin requirement which will prevent CSRF.
How this Token Works?
As above diagram, user request login page and log in to the system. Then at the same time server creates a CSRF token and save it in the server side. Next time when user interact with server, browser ask server to send CSRF token using AJAX call. Then browser modify the related web page and add CSRF token to every form. Then user submit data along with CSRF token. So server can check and verify whether the request came from original user by comparing CSRF token received and stored in own. If they match, server perform the action and if it didn’t match server display an error message.
References..
Web page Implementation..
This sample project developed using HTML, PHP and JavaScript. To get the source code Click here.
It is a login form and you have to log into the application providing the hard-coded username and password. It will redirected automatically to another page.
The credentials as,
Username: admin Password: 1234
I create this page for only one user. So this page has only one username. So any other invalid entries must be unauthorized. Any invalid entry that user enter(username or password), user is prompt to a error message.
After the user giving the right credentials he will be redirected to page called “login.php” and it will look like this. It will welcome the user from a simple PHP line of code and start a session.
If the user press the “logout button” he will be redirected to the previous login page with the session destroying.
when the index page load a session will start as well as a cookie will set in name of Admin.
There is a function generate token, it will be a create a random number and it will be saved in the session variable call token. That will be save in the server side. That token will generate for only that person who logged in.
Then session will be automatically destroyed. Then user must be need to login again to see the “login.php” page.
I used function with encoded with “base64_encoding” for creating this unique token. It is more secure than using md5 or other random generating values.
Then we have to call this static generate function on the value field inside the HTML hidden area that we have created earlier . This field is invincible to the interface and value will be randomly changed when the user refresh the browser.
If the user is authenticated, the user will redirect to login.php where you can add transaction details. When we come back again to the login.php page we can a form like below.
We can use any number for “Account Number” column, any word for “Name” column and any number for “Amount” column.
Account Number, Name and Amount we are passing the value for CSRF token with the URL, it is a hidden value an the method that is using is POST and it is not visible to eye from the URL.
So the token is valid and we can see like this for the first time.
But if we try to refresh the browser, the token will be updated and then this popup will be displayed.
To retrieve the CSRF token an AJAX call should be executed.I took two variables and one for token and one for session cookie.
The AJAX call type is POST and its URL is “getdata.php”. If the action worked it will display data the session ID on the console.
Then get session ID and pass it trough “sha1” algorithm and assign it to an array called id.
So that’s all. You can get this project from my Git hub repository.
