top of page
Search

Synchronizer Token Pattern

  • Writer: Chamodi Abisheka
    Chamodi Abisheka
  • Oct 10, 2019
  • 2 min read

What is a CSRF attack?


CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, and Hostile Linking.

According to OWASP

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Steps in a CSRF attack

Cross Site Forgery can happen in both GET and POST requests, hence prevention and mitigation techniques must be used.


The most widely used CSRF attack prevention method is a synchronizer token also known as a CSRF token.


How does it work?

When a user submits an authenticated request that requires cookies, a cryptographically generated random value is included in the request. The web server is able to veritify whether the token is correct before processing the request. The request is rejected if the token is missing.



Synchronizer Token Pattern Workflow

I have demonstrated the above process using a PHP application. The project is available here.

Demonstration of Synchronizer Token Pattern using PHP website



A login page displayed below allows a valid user to login and update a value.

In this example the login credentials are hard coded .

Username - admin and password- password.



Upon validation of the credentials and if they are correct, the server generates a Session ID, which is stored as the browser cookie and also a CSRF token.


CSRF token is stored against the session identifier at the server side.

The token is generated using the following function “generate_token” and is stored as an MD5 hashed value for security.




The session ID is set as the cookie in the below section after submitting the form using a POST request and upon successful validation of credentials.




Upon successful login a page to update the First Name and Last Name is displayed as follows. As the page loads the browser sends an Ajax call which is the endpoint for obtaining the CSRF token created for the session.




Update Page

The update button will send a post request and simultaneously the server validates the session ID and the CSRF token sent in the hidden input field.


After comparing the token in the page body and the token requested from the server, if the 2 values match the form will be successfully submitted and a success message will be displayed. If they do not match an error message will be displayed.



Link to source code.


Comments

©2019 by chamodiabisheka.

  • Twitter
  • LinkedIn
  • Instagram
bottom of page