Cross-site Request Forgery protection in web applications via Asynchronizer Token Patterns

-
In this we see how implementing Cross-site Request Forgery protection in
web applications via Double Submit Cookies Patterns.We use php to implement the web application.

User login. You may use hard coded user credentials for demonstration purpose.
Implement a webpage that has a HTML form. The method should be POST and action
should be another URL in the website.



Upon login, generate session identifier and set a cookie in the browser. At the same
time, generate the CSRF token for the session and set a cookie in the browser. The
CSRF token value is not stored in the server side.




When the HTML form is loaded, run a javascript which reads the CSRF token cookie
value in the browser and add a hidden field to the HTML form modifying the DOM.
When the form is submitted to the action, the CSRF token cookie will be submitted and
also in the form body, the CSRF token value will be submitted.



In the web page that accepts the form submission (the URL of the action), obtain the
CSRF token received in the cookie and also in the message body. Compare the two
values received and if they match, show success message. If not show error message.

The login page
Successful Login


My sample project - CSRF-asyn



Comments

Post a Comment

Popular posts from this blog

Web application with OAuth authorization

-
Image
Today in the most of the websites you can see on login page there are some options like Login with "Facebook" or "Login with Google". So here I am going to show how to create a such social login using OAuth authorization server and OAuth resource server. I am creating my  web application in localhost with apache server using php. First we create a page with name index.php . Here we contain the simple login form. We create a simple html form and for css we use bootstrap. On that same page we have the Log in with Google option. In that section we define what data we want to get from the users and we assign those data to variables. In the next step we create another file named loginG.php.  There we have some variables as cllientId, clientSecret and redirectURL. To get the clientId and clientSecret we have to use Google console. After login to google console you can create an app. Then go to Product and services tab > API and services ...
Read more

Cross-site Request Forgery protection in web applications via Synchronizer Token Patterns

-
Image
Cross-site request forgery , also known as  one-click attack  or   session riding  and abbreviated as  CSRF  (sometimes pronounced  sea-surf ) or  XSRF , is a type of malicious  exploit  of a  website  where unauthorized commands are transmitted from a  user  that the web application trusts.  There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike  cross-site scripting  (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. Lets see how to implement a web application with CSRF protection. User login. You may use hard coded user credentials for demonstration purpose. Upon login, generate session identifier and set as a cookie in the browser. At...
Read more