Translate

01 September 2018

Double Submit Cookies Pattern in CSRF Protection

This blog is to explain about an implementation of the “Double Submit Cookies” used to mitigate Cross Site Request Forgery (CSRF) attacks. The proposed application is a simple web application developed in PHP.

Cross Site Request Forgery (CSRF)

Cross Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

In the case of a CSRF attack, the browser is tricked into making unauthorized requests on the victim’s behalf, without the victim’s knowledge.

The general attack scenario contains the following steps:
  • The victim connects to the vulnerable web site, so it has a real, authenticated session.
  • The hacker forces the victim to navigate to another website containing the CSRF attack.
  • When the victim's browser execute the website page, the browser will execute a request to the vulnerable website using the user authenticated session. The user is not aware at all of the fact that navigating on the website will trigger an action on the vulnerable website.

This attack could result in a transfer of funds, changing a password, or purchasing an item in the victim’s context.

In order to mitigate the CSRF attacks the following techniques can be used:

  • Check standard headers to verify the request is same origin
    • Determining the origin the request is coming from (source origin)
    • Determining the origin the request is going to (target origin)
  • Synchronizer Token Pattern
  • Double Submit Cookies Pattern
  • Encrypted Token Pattern
  • Custom Header

Double Submit Cookies Pattern



The above diagram describes the Double Submit Cookies Pattern in the following steps:

  1. Client browser request login page and log in to the system.
  2. Server authenticate the client and generates the session id and CSRF token. CSRF token value is not stored in the server side.
  3. generated session id and CSRF token value are set as cookies in the browser.
  4. Client request the page to the server.
  5. Server send the HTML of the requested page.
  6. When HTML form is loaded, javascript reads the CSRF token cookie value in the browser and add a hidden field to the HTML form modifying the document object model (DOM).
  7. Send the HTML form to the server.
  8. Once the HTML form is submitted, in the server side, obtain the CSRF token received in the cookie and also in the message body, and compare the two values received.
  9. If the compared CSRF token is match, show success message. If not show error message.

Let's Try Out Practically


 You can clone or download the source code from the GitHub and run it on localhost.
GitHub link: https://github.com/Sathveegan/CSRF_Double_Submit_Cookies_Patterns
Or
Just click to access the demo from the following URL,
Demo Link: https://csrf-token-double-submit.herokuapp.com/
You can enter the username and password in this login form.
Username: sath Password: 12345678


If the login credentials are invalid, login page will show an error message.

When login, session identifier and CSRF token are generated and set as cookies in the browser.


 CSRF token value is not stored in the server side.

After successful login, you will be redirected to the home page. In this home page contains the Contact Form.

When HTML form is loaded, javascript reads the CSRF token cookie value in the browser and add a hidden field to the HTML form modifying the document object model (DOM).

Inspect the page and see that there is a hidden field having the CSRF token value embedded on it.


Fill the Contact Form and submit.

As we have not modified anything there in the CSRF token field, the page redirected to the result page with success message.


In case attackers try Cross Site Request Forgery (CSRF) on our web page.
We are modifying the CSRF token value and submit the form to witness above scenario.


The page redirected to the result page with fail message saying that the attack is successfully eliminated using Double Submit Cookies Pattern.


Overall Project Structure


index.php

index.php is created for login page.

login.php

login.php is created for validate the user and generate the session identifier and csrf token to set as cookies in the browser.
home.php

home.php is created for display the Contact Form and reads the CSRF token cookie value in the browser and add a hidden field to the HTML form modifying the document object model (DOM) using javascript.

csrf_token_validator.php

csrf_token_validator.php obtain the CSRF token received in the cookie and also in the message body, and compare the two values received.
If the compared CSRF token is valid, return true. If not return false. 

result.php


if csrf_token_validator.php return result is true, result.php show success message. If not show fail message.

file.txt


file.txt is used to stored the session_id n the server side.
CSRF token value is not stored in the server side.

logout.php


logout.php is used to destroy the session of the user.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)