Cross-site Request Forgery Protection: Double Submit Cookies Patterns
Overview
This is the second part of two parter series on CSFR protection, in the first section we discussed the Token Synchronizer Pattern. In this section we will discuss the Double Submitted Cookie Pattern.In this method instead of storing the CSRF token in the server side (in our case it was a text file), it will be stored in the client side in the form of a cookie. Therefore, two cookies will be created one for storing the session and another for the CSRF Token. Let's see it in practice to understand it better.
Application
These are the files we are working with....
Walking into it blindly we experience the same page as the following example, a single logon, This time with hard coded credentials as well "csrf_cookie" for both username and password.
Looking at the code a HTML Post request is sent to the result.php.
In the result.php the first thing done is to check for the credentials, and if they match the two cookies are initiated as before for the CSRF token and for the session.
Next we can see this cookie value is obtained and embedded into some HTML tag as follows.
Finally another form and the HTML tag to which the token value is embedded is seen, notice the hidden field, in the previous code section the token value was added to it and along with it another HTTP Post request is sent to home.php.
And result.php would appear like this
At home.php token.php is called which looks like this
Here a function called checkToken is initiated where two values are equal or not is checked, with two arguments being $token and $cookiecsrf, actual implementation of this function can be seen at the home.php.
As you can see the function that was initiated at token.php is called here with the token obtained from the HTTP request previously as well the token obtained from the cookie being sent to the checkToken function, if they are equal then bam we are done.
And it was indeed a success the reason is because the values obtained from the cookies as well the request are indeed the same.
The golden that applies to this method is that a domain can use ONLY the cookies it created. It would make sense that facebook can't use the cookies that google created, the same an attacker can't make a malicious page to send a malicious HTTP request because it can't obtain the cookies created by the party to which it is trying to make request because it resides in two domains.
The code for the application is in the github and link is mentioned below.
Comments
Post a Comment