Preventing Cross-Site Request Forgery (CSRF) with Double Submit Token Pattern

This post is a continuation of the previous post which refers what is Cross Site Request Forgery (CSRF) and how we can prevent this attack using Synchronizer Token Pattern. As I've mentioned in the previous post there are mainly two ways of preventing a CSRF attack. In this post we will discuss how to prevent a CSRF attack using Double Submit Cookie Pattern. To get a basic understanding of how CSRF work please refer the previous post.
  • Double Submit Cookie Pattern

If storing the CSRF token in session is problematic, an alternative defense is use of a double submit cookie. A double submit cookie is defined as sending a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match. When a user authenticates to a site, the site should generate a (cryptographically strong) pseudo-random value and set it as a cookie on the user’s machine separate from the session ID. The server does not have to save this value in any way, that's why this pattern is also called Stateless CSRF Defense.

The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value he wants with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie. Since the cookie value and the request parameter or form value must be the same, the attacker will be unable to successfully force the submission of a request with the random CSRF value.
  • Implementation
We have used java with JSP to implement the above scenario.

Login Page is as follows and user has to provide "admin" for both username and password.

In the Home page the CSRF token is sent through the body of the form as well with cookie request. Hence, the double submit part.

Validation Page, Here the CSRF token received with the request is matched with the CSRF token received   from the body of the form.

These are the cookies and tokens stored in browser with requests. Here, the session id is stored with respective CSRF token.

Now, let's move on to the code base of the project. This is the index.jsp page and handles the login aspects of the project.
  • index.jsp
  • home.jsp
We have included CSRF token as a hidden field inside the body of form to be submitted with the request.
  • confirm.jsp
  • web.xml
  • Login.java

Here, we store the generated session ID with generated CSRF token in the browser.
  • Validator.java

Here, the CSRF token received in the body of the form is matched against CSRF token received with cookie and verified. Therefore, CSRF atatck can be mitigated easily by providing token in both session cookie header and in the body of the request.

The full implementation of this example can be found at Github. See you guys with another blog series regarding security of modern online applications.

Comments

Post a Comment

Popular posts from this blog

Introduction to using ExpressJS with MongooseJS and NodeJS - Part 2

Image
This is a continuation of my previous blog on using express on NodeJS and MongooseJS. Please refer to that tutorial before continuing further in this tutorial. Here we gonna continue our previous applications CRUD functionalities, but first we gonna streamline our project by using nodemon package. Intializing Nodemon using following command, npm install nodemon --save-dev Here, Nodemon restarts the server automatically each time you save a file that the server uses. The reason for using it as only as a developing dependency is we only need it in development time. There are many ways to run the application using nodemon, but i will use a much simpler way, Here we gonna define nodemon in run script in package.json Now we need to enter the following command in terminal inorder to run the application, npm run dev So we are back to our main topic CRUD functionalities. We have already created GET-READ capability in previous tutorial. Let's start on POST-CREATE capabi...
Read more

Intoduction to NodeJS

Image
Node.js is a platform built on Chrome's JavaScript runtime for easily building fast and scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. [TutorialsPoint] Here's a few key point regarding NodeJS, Developed by Ryan Dahl.   Created with the aim of creating real-time websites with push capabilities (websockets). NodeJS is an open source, cross platform runtime environment for server-side and networking applications. Build on V8 engine, Chrome’s JavaScript engine. Uses event-driven, non-blocking I/O model which makes NodeJS lightweight and efficient. Ideal for data-intensive real-time applications that run across distributed devices. NodeJS comes with several JavaScript libraries that help basic programming. NodeJS eco-system ‘npm’ is the largest in the world for open source libraries.   Let's...
Read more

Using OAuth 2.0 Framework to Manipulate Files in Google Drive

Image
Let's see why OAuth is important? OAuth is a specification that allows users to delegate access to their data without sharing their username and password with that service. That's cool. But why do you care, as a developer? There's a lot of information and a lot of uses that OAuth provides, that you wouldn't normally get without it, which include things like social graphs of your users, sharing information via your users, things like tweeting and posting to Facebook. You can aggregate user data in order to find interests, etc. about your users. In our day to day interactions on internet, we come across with lots of websites where we have to create accounts to use the website for our work.  If you use different credentials for different accounts, it becomes worse where you have to remember all your usernames and passwords for each website. In order to address this issue, modern websites make use of the OAuth protocol with the concepts of “Identity Federation” and “Del...
Read more