Translate

28 August 2018

Synchronizer Token Patterns in CSRF Protection

This blog is to explain about an implementation of the “Synchronizer Token Patterns” used to mitigate Cross Site Request Forgery (CSRF) attacks. The proposed application is a simple web application developed in PHP.

Cross Site Request Forgery (CSRF)

Cross Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

 In the case of a CSRF attack, the browser is tricked into making unauthorized requests on the victim’s behalf, without the victim’s knowledge.

 The general attack scenario contains the following steps:
  • The victim connects to the vulnerable web site, so it has a real, authenticated session.
  • The hacker forces the victim to navigate to another website containing the CSRF attack.
  • When the victim's browser execute the website page, the browser will execute a request to the vulnerable website using the user authenticated session. The user is not aware at all of the fact that navigating on the website will trigger an action on the vulnerable website.
This attack could result in a transfer of funds, changing a password, or purchasing an item in the victim’s context.

 In order to mitigate the CSRF attacks the following techniques can be used:
  • Check standard headers to verify the request is same origin
    • Determining the origin the request is coming from (source origin)
    • Determining the origin the request is going to (target origin)
  • Synchronizer Token Pattern
  • Double Submit Cookies Pattern
  • Encrypted Token Pattern
  • Custom Header

Synchronizer Token Pattern



The above diagram describes the Synchronizer Token Pattern in the following steps:

  1. Client browser requests login page and log in to the system.
  2. Server authenticates the client and generates the session id, CSRF token of the particular client. CSRF token mapped to the session id of the client and those session id, CSRF token are stored in the server side.
  3. generated session id set as cookie in the browser.
  4. Client requests the page to the server.
  5. Server sends the HTML of the requested page.
  6. When requested page loads, client browser request CSRF token to the server endpoint using AJAX call.
  7. The endpoint receives the session cookie and based on the session id, return the CSRF token value.
  8. Send the CSRF token to the client browser.
  9. Modify the HTML form hidden field that has the value of the received CSRF token.
  10. Send the HTML form to the server.
  11. Once the HTML form is submitted, in the server side, extract the received CSRF token value from the form and check if it is the correct token issued for the particular session.
  12. If the received CSRF token is valid, show success message. If not show error message.

Let's Try Out Practically


 You can clone or download the source code from the GitHub and run it on localhost.

 Just click to access the demo from the following URL,
Demo Link: https://csrf-token-synchronizer.herokuapp.com/

 You can enter the username and password in this login form.
Username: sath Password: 12345678



If the login credentials are invalid, login page will show an error message.

When login, a new session will be created and session identifier will be set as cookie in the browser.

At the same time, a CSRF token will be generated and stored into the server side.

After successful login, you will be redirected to the home page. In this home page contains the Contact Form.


During the loading of the home page, generated CSRF token value created for the session will be added to the hidden field in the HTML form's document object model (DOM) with the help of AJAX.

Inspect the page and see that there is a hidden field having the CSRF token value embedded on it.


Fill the Contact Form and submit.

As we have not modified anything there in the CSRF token field, the page redirected to the result page with success message.

  
In case attackers try Cross Site Request Forgery (CSRF) on our web page.
We are modifying the CSRF token value and submit the form to witness above scenario.


The page redirected to the result page with fail message saying that the attack is successfully eliminated using Synchronizer Token Patterns.


Overall Project Structure


index.php


index.php is created for login page.

login.php


login.php is created for validate the user, generate the session identifier and set as cookie in the browser, generate the CSRF token and stored it in the server side.

home.php


home.php is created for display the Contact Form and execute an AJAX call via a javascript, which invokes the endpoint for obtaining the CSRF token created for the session. Received CSRF token is embedded into hidden form field.

csrf_token_gen.php


csrf_token_gen.php implements an endpoint that accepts HTTP POST requests and respond with the CSRF token. The endpoint receives the session cookie and based on the session identifier, returns the CSRF token value.

csrf_token_validator.php


csrf_token_validator.php extracts the received CSRF token value and check if it is the correct token issued for the particular session.
If the received CSRF token is valid, return true. If not return false. 

result.php


if csrf_token_validator.php return result is true, result.php show success message. If not show fail message.

file.txt



file.txt is used to stored the session_id and csrf_token in the server side, these are seperated by comma.

 logout.php

logout.php is used to destroy the session of the user.
GitHub Link: https://github.com/Sathveegan/CSRF_Synchronizer_Token_Patterns

 Demo Link: https://csrf-token-synchronizer.herokuapp.com/
Posted by at No comments:
Subscribe to: Posts (Atom)