Cross-site Request Forgery Protection: Synchronizer Token Patterns


Overview

CSFR or Cross Site Request Forgery is an web based attack where an attacker persuades or tricks a user to send a malicious unwanted HTTP request to a service that they are already signed into.  For an example an attacker could send you a link and when you click that link you could send a request to facebook to change your status, if you are already signed in and have all cookies set.
For info check out how OWASP define it.
However there are ways to avoid it and this blog will show one way to do it.

Application

This is a two parter series, in this section a method of avoiding CSRF will be introduced and an application corresponding to it will be shown. The method is including a CSRF token embedded into your HTML forms where requests will be sent. To explain this a simple application will be used. It contains following files.

Upon viewing the web page blindly, the following pops up.

It is a simple login screen, for the sake of simplicity both of these are hard coded as “csrf_token”. A post request to “result.php” is then submitted with the credential details as follows.

Taking a closer look at result.php code, first the credentials are checked as follows.

However, the important stuff comes after it, specifically the Ajax calls to the “csfr_token_generator.php” to get csfr token as follows.

This is csrf_token_generator.php

This code seems to include the CSFR token obtained and include it into another field in another form. Which can be seen below.

This form also send a POST request to home.php but notice the hidden field, to this field the CSRF token will be embedded, this will sent along with the request, and the form will be viewed as follows.

Then viewing the home.php we can see that it first calls the tokens.php, which has the following code.

And looking back at home.php....
The CSFR token that was obtained via the POST request is compared to the cookie value that was set in the csfr_token_generator.php and it would only allow the process if these two match.
And the thing that should be highlighted and golden rule behind CSFR token is that ajax calls can only be made in the same domain, meaning a malicious web page set out to launch CSFR attack can’t do it as it can’t make an ajax call to csfr_token_generator.php and obtain the CSFR token. Meaning the request sent by such pages would be discarded in the home.php.
And in the next blog post I would discuss how CSFR can be avoided by another means, Double Submitted Cookie.

The application used can be found in the github in the links section.

Links

Github: https://github.com/HashKushayne/Token-Synchronizer-CSFR

Comments

Post a Comment

Popular Posts