Mitigate CSRF with Double Submit Cookies

I previously explained what is CSRF and how we can mitigate a CSRF attack using Synchronizer token pattern technique.
In this blog post I'm going to talk about another CSRF mitigation technique called "Double Submit Cookies Pattern"  πŸ˜‰

What is Double Submit Cookies Pattern?

This is a technique, that sends a random seed or a "token" as we call it, in both a cookie and as a request parameter, with the server verifying if the cookie value and the request value match.

Why DSCP?

Now its obvious that a third party entity cannot perform a CSRF attack without the CSRF token, and in here attacker or the third party entity cannot get the token because its in a cookie, and third party web pages cannot retrieve cookies from another web page that has a different domain.
For example, assume that the genuine web page is banker.com, and the attacker's web page is attacker.com, when a user logged in to the banker.com, and accidentally redirect to attacker.com, attacker.com cannot retrieve the cookies from banker.com. So a CSRF token in a cookie is a safe method to exchange tokens between the client and the server.

Now let's see the flow of this method. 

  • User log in to the website, along with this, server will generate a CSRF token and set it as a cookie in the web browser, and also the session identifier.
  • Client, the web browser will extract this CSRF cookie value and set the same value in a html form hidden field by modifying the DOM.
  • So when the form is submitting to the server for processing, the CSRF cookie along with the hidden value from the html form with the same value as the CSRF cookie will go in the request.
  • Server will validates this two values and process the request, if and only if these two are match with each other. Otherwise, its consider as a CSRF attack.  

For better understanding, lets go through this steps with a sample code.


User login.



Along with user login, server will validates the user credentials and create a new CSRF token and set it as a cookie in the browser. And also it will set a session cookie with the session id.


As you can see in the above code segment, I named the CSRF cookie as "CSRF_Token" and the session cookie as "Session_Cookie".  


So then the client side script will extract these cookie values and identify the CSRF cookie and set it as a hidden field value of a html form by modifying the DOM.

I used a javascript function to extract the CSRF token cookie, and then by using JQuery, I modified the DOM. (hidden field value changing thing πŸ˜‡) 


Now everything's set in the client side, and now send the request to the server.

Click "Submit" button and you are good to go.


Server will get the request with the HTML form along with the hidden token value as well as the cookies. Along with these cookies Session_Cookie and CSRF_Token cookie will come. 


(Above is a simple function to get specific cookie value.) 


So, now the server will validating the value in the hidden field with the cookie value.


And if those values match each other, we can say that this request is not a forgery, but a genuine one.
 


Apache Tomcat Server outputs 😊



You can download this application at anytime. Its available in my GitHub repositories
You can follow the instruction in the readme file when it comes to deploying this application.  

Comments

Post a Comment

Popular posts from this blog

RMI (intro)

Image
What is RMI?  RMI stands for Remote Method Invocation. It is an application programming interface (API) that allows an object running on one Java Virtual  Machine (JVM) to invoke methods on an object running on another Java Virtual Machine (JVM), client server architecture is a good example where RMI is used. Basically, RMI provides for communication between programs written in the Java programming language. Architecture  In an RMI application there are two programs, a server side program and a client side program. Inside the server side program, a remote object is created and reference of that object is made available for clients. The client side program requests the remote object from the server to invoke its methods.  (A diagram to represent RMI architecture) Stub & Skeleton? Stub is a representation the remote object in the client and its acts as a gateway for the client program. Skeleton is the object that in the server-side. stub communicates with
Read more

Let's Configure HTTP'Secure' in Apache-Tomcat

Image
What is HTTPS?.. if you don't have any idea about what is HTTPS, refer my previous blog post about HTTPS . If you have an idea about HTTPS and SSL/TLS handshake, you are good to go 😊  Creating a digital  certificate We can create a digital certificate using "Java KeyStore (JKS)". This is a repository of security certificates. We can generate a keystore file using keytool command. in order to work with keytool, you must have "JAVA" installed in your computer.  keytool is a key and certificate management utility that allows users to administrate their own public/private key pairs, and the keystore file we are going to generate bellow will also be our local tomcat server's server certificate.   Options  When creating a "keystore", we need to provide some options and values to it. -genkey/-genkeypair -alias  -keyalg  -keystore  -keysize -validity -sigalg -storepass -keypass -dname  -genkey/-genkeypair -genkey
Read more