Double submit cookies patterns to defense against Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery also known as CSRF attack that tricks a web browser into executing an unwanted action in an application to which a user is logged in.
An effective CSRF attack can be obliterating for both the business and client. It can bring about harmed customer connections, unapproved fund exchanges, changed passwords and information burglary—including stolen session cookies.
Double submit cookies patterns is an one method which is used to prevent this attack. below image explain how Double submit cookies pattern works.
building-secure-user-interfaces-with-jwts-json-web-tokens-35-638.jpg
In this blog post I am demonstrating a sample project on how to implement Double submit cookies patterns.
1. You need to have a web server to launch this project.
(Download wamp server from here -> http://www.wampserver.com/en/  and install it and run it.)
2. First create a login page to authenticate user. I created login.html page which authenticates users using java script. Since this is a demonstration,I used hard-coded credentials.
This is the login.html page and user authenticating java script function.
1


3. When a successful login occurred login.html page invoke CSRF_Token_Generator.php page to generate CSRF token for current user session.
CSRF_Token_Generator.php

In this page, 2 cookies are created for session identifier and CSRF token.
4. After this process it redirect to Home.php page where user enter his details in simple form for submission.
Home.php

5. In here, I store both CSRF token and CSRF cookie received from token_request.js in hidden  fields in form. This process happens whenever the Home.php page is loading.
token_request.js

6. Next user enter his details and submit the data. During the submission process Home.php page redirect to Token_Validation.php page where server check whether this data comes from valid user. To do that server compare the token value and cookie’s value in the hidden fields.
Token_Validation.php

7. According to the token comparison results it shows proper message in Data_Receiving_End_Point.php page






You can download all source codes of this project from the following link.

Author :- G M H Wijeratne

Comments

Post a Comment

Popular posts from this blog

Synchronizer Token Pattern to prevent Cross-Site Request Forgery (CSRF)

Image
Cross-Site Request Forgery known as CSRF attack that tricks a web browser into executing an unwanted action in an application to which a user is logged in. An effective CSRF attack can be obliterating for both the business and client. It can bring about harmed customer connections, unapproved fund exchanges, changed passwords and information burglary—including stolen session cookies. Synchronizer Token Pattern is an one method which is used to prevent this attack. below image explain how Synchronizer Token Pattern works. source :  insidethecpu.com In this blog post I am demonstrating a sample project, how to implement Synchronizer Token Pattern. 1. You need to have a web server to launch this project. (Download wamp server from here ->  http://www.wampserver.com/en/   and install it and run it.) 2. First create a login page to authenticate user. I created  login.html  page which authenticates users using java script. Since this...
Read more