Synchronizer Token Pattern
WHY?
Cross site request forgery (CSRF), also known as XSRF, Sea Surf or
Session Riding, is an attack vector that tricks a web browser into
executing an unwanted action in an application to which a user is logged
in. A successful CSRF attack can be devastating for both the business and
user. It can result in damaged client relationships, unauthorized fund
transfers, changed passwords and data theft—including stolen session
cookies. CSRFs are typically conducted using malicious social engineering,
such as an email or link that tricks the victim into sending a forged
request to a server. As the unsuspecting user is authenticated by their
application at the time of the attack, it’s impossible to distinguish a
legitimate request from a forged one. Synchronizer Token Pattern can be used as a mitigation method to CSRF.
WHAT?
Synchronizer token pattern (STP) is a technique where a token, secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side. SPT is using to preventing CSRF attacks from the attackers. Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request.
HOW?
Synchronizer token method uses a token which is known as the CSRF token to validate
the request sent by a client to the server. When a client authenticates
with the server, server creates a browser session and saves it as a
cookie in the client browser. After the session is created client will
again send a request to the server to obtain the CSRF token. The created
session is sent along with this token request as a cookie and server
will generate a CSRF token for the received session. After the token
generation, server will save the token against the received session in
its memory and it will send the generated token to the client as the
response.
After receiving the CSRF token from the server, client will inject it to
a hidden html input field on its side. This step finishes the token
initialization for client side and client will send the token value in
the hidden field along with each and every request sent to its server.
Server will compare the received token with stored token value and it
will send the success response only if the tokens are matched.
SAMPLE WEB APPLICATION
This web application demonstrates how synchronizer tokens work. PHP and JavaScript were used in developing.Source code can be found here at github.
Here the Upon successful login, a user can post something including first name and last name.If the server validates the user credentials on login, the server generates a session ID and a CSRF token for the session. The generated session ID is set as a browser cookie.
When the user enters the data and submits the form, the Cookie with Session ID and CSRF token is sent to the server. This is done using a hidden input field. The server validates the Session ID and CSRF token and updates the data.
The login page is as follows.
It consists of a simple form that submits the values to /login through a POST method.
Here the Upon successful login, a user can post something including first name and last name.If the server validates the user credentials on login, the server generates a session ID and a CSRF token for the session. The generated session ID is set as a browser cookie.
 |
| Session ID and CSRF token are generated using this code segment. |
When the user enters the data and submits the form, the Cookie with Session ID and CSRF token is sent to the server. This is done using a hidden input field. The server validates the Session ID and CSRF token and updates the data.
 | |
| CSRF token sends using this hidden field. |
It consists of a simple form that submits the values to /login through a POST method.
 |
| Authenticated Page. |
 |
| Created token. |
This is invisible to the user. When the user submits the form, this value is submitted as well.
Upon receiving the request, the session ID and the CSRF token is validated and the details update will be completed if the provided values are correct. So,
in this scenario, even if an attacker can provoke legitimate user to complete some
action and send an unintended request to the server, although the
cookies are sent, the CSRF token is not present. Therefore, the update will not be completed, hence preventing CSRF.
 |
| Update Successfully. |
Atlast one drawback of this pattern would be that the server has to store all
CSRF tokens. This could be a nuisance when there are multiple sessions
at the same time.
Comments
Post a Comment