Cross Site Request Forgery Prevention - Synchronizer Token Pattern

With the Synchronizer Token approach, the server embeds a dynamic hidden variable in an input form. When the form is submitted, the server can check to make sure that the hidden variable is present and that it is the correct value.


In login.php, we have to generate a session identifier and set it as a cookie inside the web browser. At the same time it generates the “CSRF token” and saves it in the server side. The generated token is mapped to the session identifier.



In profile.php, You will see the form which you have to fill out a form providing your name, IT No and the faculty. What you can see is that there is a hidden field in this form which has the value of the received CSRF token.



When this page loads, it executes an Ajax call which calls CSRF.php via a JavaScript which invokes the endpoint for obtaining the CSRF token created. What happens in the endpoint; which is submit.php in our case, it accepts the HTTP POST request and responds with the CSRF token.

Once this form is submitted, it extracts the received token value and check whether if its the correct token issued for the particular session. If Yes it will successfully display your user profile details you entered. If not it will display you an error message.



The output is like this.








Comments

Post a Comment

Popular posts from this blog

Intrusion Detection System Vs. Intrusion Prevention System

Image
Intrusion Detection System (IDS) is a computer security system that monitors network traffics for malicious activities and alert the network administrator when malicious activities detected. IDS performs a passive monitoring and implement in passive/promiscuous mode. IDS can detect the malicious activities but cannot prevent it. IDS have these capabilities include: Monitoring about malicious activities Auditing about malicious activities Forensics about malicious activities Reporting about malicious activities Figure 1: Intrusion Detection System Attacker sends a malicious traffic via internet to the target host. Data packets will reach to both network and IDS. In IDS, packet will be inspected by sensor. Store the log report on management console. Intrusion Prevention System (IPS) is a computer security mechanism that inspect a network traffics for malicious activities (security threats or policy violations) and take actions for detected activities. IPS have capab
Read more

Social Login with Facebook

Image
Social login is a form of single sign-on using existing information from a social networking service such as Facebook, Twitter or Google+, to sign into a third party website instead of creating a new login account specifically for that website. Social login is often implemented using the OAuth standard. OAuth is a secure authorization protocol which is commonly used in conjunction with authentication to grant 3rd party applications a "session token" allowing them to make API calls to providers on the user’s behalf. Sites using the social login in this manner typically offer social features such as commenting, sharing, reactions and gamification. Step 1 : Create an application in the developer account on Facebook. Go to https://developers.facebook.com/ create a new application. Provide a display name for your application and your contact email and create the application. Once your app is created, associate “Facebook Login” with it.
Read more