CSRF attacks can be defend using several ways, in the previous blog post it clearly describes what is a CSRF attack and how to defend that kind of attack using synchronizer token pattern.In this blog post it demonstrate how to defend a CSRF attack using double submit cookie.When storing the CSRF token in session is problematic, an alternative defense is use of a double submit cookie. A double submit cookie is defined as sending a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match.
When a user authenticates to a site, the site should generate a pseudorandom value and set it as a cookie on the user's machine separate from the session id. The site does not have to save this value in any way, thus avoiding server side state. The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value he wants with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie. Since the cookie value and the request parameter or form value must be the same, the attacker will be unable to successfully force the submission of a request with the random CSRF value.
In this blog it describes a simple demonstration on a double submit cookie, For demonstration purpose the user login has hard coded. After providing the correct credentials to the login a user can login.
If the provided credentials are wrong, it prompts an error message.
This web page has implemented with a HTML form, the method is POST and action is another URL in the website.
While the HTML form is loading, a JavaScript is running, which reads the CSRF token cookie value in the browser. JavaScript adds a hidden field to the HTML form modifying the DOM.
When the form is submitted to the action, the CSRF token cookie will be submitted and
the CSRF token value in the form body will be submitted. The value of the CSRF token received, and the value of the message body is compared, if the values matches, a successful message displays.
For demonstration purpose i have changed the value of the CSRF in the html body, as follows
Now the values are not matching, it shows an error message.
A simple project which demonstrate the above procedure is available in the following link.
No comments:
Post a Comment