CSRF & Synchronizer Tokens

What is Cross-site request forgery (CSRF)

First time we heard (CSRF) whats that ????


Cross site request forgery i one-click attack or session riding and abbreviated as CSRF or  XSRF   is a kind  of malicious code running or else  exploits of a web-pages  is that  unauthorized commands can be   transmitted from a user that who using the   web application and  trusts it.

Image result for csrf
Above picture will show you the basic idea about how it works

                          In the CSRF there are  so many ways in which a malicious thing  can be happens to website or web-pages which  can be transmitted by using commands from ; JavaScript XMLHttpRequests, specially-crafted image tags its mean specially SVG images so many of malware authors choose that SVG type to specially-crafted image , hidden forms, for example, we can use our  all work  without interaction or even knowledge from the  users. Unlike cross-site scripting (XSS), which that might be exploits the trust a user  who has use for a particular site, CSRF exploits the trust that a site has in a user's own web  browser

How Cross Site Request Forgery (CSRF or XSRF) attacks and work

History

  • The most popular Netflix company  website in 2006 had numerous vulnerabilities to CSRF attack
  • McAfee was also vulnerable to CSRF attack and attackers to change their company base  system
  •  YouTube was also vulnerable to CSRF in 2008 and attacker to perform nearly all actions of any users

How to prevent CSRF attacks??

When we come to mitigation of CSRF attack, there are some techniques that we can use.
  • Synchronizer token pattern
  • Double submit cookies pattern
  • Encrypted token pattern  
are some example for it.

Synchronizer Token Pattern

Synchronizer token pattern (STP) is a one of the technique where a token, value for each request are unique and secret, is embedded by the HTML forms and verified by the server side. So, now token will be generated by the any method uniqueness and unpredictability. The attacker is unable to correct their request authenticate by them. So the STP is mostly relies on HTML, so its going to implement the complexity of the server associated to check and can be enforce proper sequence of the events that can be using per session by the CSRF token instead per  request CSRF token.

How this works?

For make it easy, I'll explain the steps of this STP from a source code it self.

First, user may login to a website.  
 

At this moment, server will create a session cookie and set it in the browser and also generate a CSRF token, map it with the session identifier
In the source code, we can do all this like, 

try{
String username = request.getParameter("username");
String password = request.getParameter("password");
if(username.equals("admin")&&password.equals("admin")){
Cookie[] cookies = request.getCookies();
if(cookies != null){
for(Cookie cookie : cookies){
if(cookie.getName().equals("JSESSIONID")){
jsession = cookie.getValue();
}else{
out.println("no JSESSIONID cookies!");
}
}
}else{
out.println("null cookies!");
}
String csrfToken = generateToken();
System.out.println("Session ID : "+jsession);
System.out.println("CSRF Token : "+csrfToken);
new Map().setValue(jsession, csrfToken);
response.sendRedirect("form.jsp");
}else{
out.println("Invalid username and/or password");
}
}finally{
out.close();
}

 In the web page, need to call an AJAX request to the server in order to obtain the CSRF token, and need to embed this value to a html form's hidden element.

An Ajax call can be made using the following code segment via JavaScript.

$(document).ready(function() { $.ajax({
type : "GET",
url : uri,
dataType : "json",
cache : false,
crossDomain : true,
processData : true,
success : function(data) {
$('#csrf').val(data['token']);
},
error : function(XMLHttpRequest, textStatus, errorThrown) {
alert("error");
}
});
});


The HTML body will be like,
<form method="post" action="submit"> <table border="0" cellpadding="2" cellspacing="2">
<tr>
<td>First Name</td>
<td><input type="text" name="fname" /></td>
</tr>
<tr>
<td>Last Name</td>
<td><input type="text" name="lname" /></td>
</tr>
<tr>
<td>&nbsp;</td>
<td><input type="submit" name="buttn" value="Submit" /></td>
input type="hidden" id="csrf" name="csrf" value="a"/>
</tr>
</table>
</form>


In the response, the CSRF token will come and script will add it to the html hidden field.

Now, when submitting the form the CSRF token in the hidden field will also go. Server will validate this token value and the server saved token value and process the request accordingly.

You can view this source code from my GitHub account. 
 

Comments

Post a Comment

Popular posts from this blog

Google Hacking Queries

Image
Google Hacking Queries easiest way to filter any specified path in google Filetype can be search any file types according passwords  videos and many more things you can search please when you searching type the word like this filetype:stephanhawking or type with " " qutations like these filetype:"StephanHawking" Index: index meaning unprotected  types ex: Filetype:password Then displaying these kind of page filetype : filetype:bak createobject sa filetype:bak inurl:"htaccess|passwd|shadow|htusers" filetype:cfg mrtg "target filetype:cfm "cfapplication name" password filetype:conf oekakibbs filetype:conf slapd.conf filetype:config config intext:appSettings "User ID" filetype:dat "password.dat" filetype:dat inurl:Sites.dat filetype:dat wand.dat filetype:inc dbconn filetype:inc intext:mysql_connect filetype:inc mysql_connect OR mysql_pconnect filetype:inf sysprep filetype:ini inurl:...
Read more

Sanitizing application text fields

Image
  Sanitizing application text fields to prevent SQL injections and vulnerabilities involves several best practices.   Use Parameterized Queries or Prepared Statements: Instead of directly concatenating user input into SQL queries, use parameterized queries or prepared statements provided by your programming language's database API. These methods separate the SQL query logic from the user input, making it impossible for an attacker to inject malicious SQL code. Input Validation: Validate all user input to ensure it adheres to expected formats and ranges. Reject input that contains unexpected characters or patterns that could be indicative of SQL injection attempts. Use Whitelisting: Instead of blacklisting specific characters or patterns, consider whitelisting allowed characters and formats for input fields. This approach is generally safer as it explicitly defines what is acceptable rather than attempting to identify and filter out malicious input. Escape Special Charac...
Read more