Posts

Cross-site Request Forgery protection in web applications via Asynchronizer Token Patterns

-
Image
In this we see how implementing Cross-site Request Forgery protection in web applications via Double Submit Cookies Patterns.We use php to implement the web application. User login. You may use hard coded user credentials for demonstration purpose. Implement a webpage that has a HTML form. The method should be POST and action should be another URL in the website. Upon login, generate session identifier and set a cookie in the browser. At the same time, generate the CSRF token for the session and set a cookie in the browser. The CSRF token value is not stored in the server side. When the HTML form is loaded, run a javascript which reads the CSRF token cookie value in the browser and add a hidden field to the HTML form modifying the DOM. When the form is submitted to the action, the CSRF token cookie will be submitted and also in the form body, the CSRF token value will be submitted. In the web page that accepts the form submission (the URL of the action),
Post a Comment
Read more

Cross-site Request Forgery protection in web applications via Synchronizer Token Patterns

-
Image
Cross-site request forgery , also known as  one-click attack  or   session riding  and abbreviated as  CSRF  (sometimes pronounced  sea-surf ) or  XSRF , is a type of malicious  exploit  of a  website  where unauthorized commands are transmitted from a  user  that the web application trusts.  There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike  cross-site scripting  (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. Lets see how to implement a web application with CSRF protection. User login. You may use hard coded user credentials for demonstration purpose. Upon login, generate session identifier and set as a cookie in the browser. At the same time, generate the CSRF token and store it in the server side. You
Post a Comment
Read more

Web application with OAuth authorization

-
Image
Today in the most of the websites you can see on login page there are some options like Login with "Facebook" or "Login with Google". So here I am going to show how to create a such social login using OAuth authorization server and OAuth resource server. I am creating my  web application in localhost with apache server using php. First we create a page with name index.php . Here we contain the simple login form. We create a simple html form and for css we use bootstrap. On that same page we have the Log in with Google option. In that section we define what data we want to get from the users and we assign those data to variables. In the next step we create another file named loginG.php.  There we have some variables as cllientId, clientSecret and redirectURL. To get the clientId and clientSecret we have to use Google console. After login to google console you can create an app. Then go to Product and services tab > API and services &
Post a Comment
Read more