Blog of Sampath Rajapakse

This post is a continuation of the previous post  which refers what is Cross Site Request Forgery (CSRF) and how we can prevent this attack using Synchronizer Token Pattern. As I've mentioned in the previous post there are mainly two ways of preventing a CSRF attack. In this post we will discuss how to prevent a CSRF attack using Double Submit Cookie Pattern. To get a basic understanding of how CSRF work please refer the previous post . Double Submit Cookie Pattern If storing the CSRF token in session is problematic, an alternative defense is use of a double submit cookie. A double submit cookie is defined as sending a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match. When a user authenticates to a site, the site should generate a (cryptographically strong) pseudo-random value and set it as a cookie on the user’s machine separate from the session ID. The server does not have to save this va...

First, Let's see what is CSRF and it's impact on the vulnerability of a system. According to CWE  , it's stated that when the application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request is known as CSRF. Describing it furthermore, when a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution. In 2010 this vulnerability was ranked at number 5 at OWASP Top 10 Most Critical Web Application Security Risks index , but by the extreme awareness provided by the industry has made this vulnerability to drop out of Top 10 ...

This is a continuation of my previous blog on using express on NodeJS and MongooseJS. Please refer to that tutorial before continuing further in this tutorial. Here we gonna continue our previous applications CRUD functionalities, but first we gonna streamline our project by using nodemon package. Intializing Nodemon using following command, npm install nodemon --save-dev Here, Nodemon restarts the server automatically each time you save a file that the server uses. The reason for using it as only as a developing dependency is we only need it in development time. There are many ways to run the application using nodemon, but i will use a much simpler way, Here we gonna define nodemon in run script in package.json Now we need to enter the following command in terminal inorder to run the application, npm run dev So we are back to our main topic CRUD functionalities. We have already created GET-READ capability in previous tutorial. Let's start on POST-CREATE capabi...