Synchronizer-Token-Patterns


Synchronizer Token Patterns.



The Encrypted Token Pattern is a defense mechanism against Cross Site Request Forgery (CSRF) attacks, and is an alternative to its sister-patterns; Synchroniser Token, and Double Submit Cookie.

Each of these patterns has the same objective:

  1. To ensure that any given HTTP request originated from a trustworthy source
  2. To uniquely identify the user that issued the HTTP request

In the first instance, the need to ensure that requests originate from a trustworthy source is an obvious requirement. Essentially, we need to guarantee that any given request has originated not only from the user’s web-browser, but also from a non-malicious link, or connection.



Once you have verified that the request appears to be the same origin request so far, we recommend a second check as an additional precaution to really make sure. This second check can involve custom defense mechanisms using CSRF specific tokens created and verified by your application or can rely on the presence of other HTTP headers depending on the level of rigor/security you want.

Synchronizer (CSRF) Tokens

  • Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks
  • Characteristics of a CSRF Token

                    -Unique per user session
                    -Large random value
                    -Generated by a cryptographically secure random number generator
  • The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs via a GET
  • The server rejects the requested action if the CSRF token fails validation
 These challenge tokens are then inserted within the HTML forms and links associated with sensitive server-side operations. When the user wishes to invoke these sensitive operations, the HTTP request should include this challenge token. It is then the responsibility of the server application to verify the existence and correctness of this token. By including a challenge token with each request, the developer has a strong control to verify that the user actually intended to submit the desired requests. The inclusion of a required security token in HTTP requests associated with sensitive business functions helps mitigate CSRF attacks as successful exploitation assumes the attacker knows the randomly generated token for the target victim's session. This is analogous to the attacker being able to guess the target victim's session identifier. The following synopsis describes a general approach to incorporate challenge tokens within the request


Openssl function to generate a secure random string have used by me in the code given below.
Click here to find the source code at :Synchronizer-Token-Patterns

Image 01


Above image 01 shows how it's going to be work after CSRF protection.

Once the user made the request CSRF token goes with it. Refer the following image 02



After clicking the button "Update"














Settings get updated.



Download my sample code at : github.com/RajithaAkwaththa/Synchronizer-Token-Patterns

Comments

Popular posts from this blog

The Secure Socket Tunneling Protocol

Fake WAP

Lets Make a Simple Keylogger