ONE$ && ZER0$

I previously explained what is CSRF  and how we can mitigate a CSRF attack using Synchronizer token pattern technique. In this blog post I'm going to talk about another CSRF mitigation technique called "Double Submit Cookies Pattern"  😉 What is Double Submit Cookies Pattern? This is a technique, that sends a random seed or a "token" as we call it, in both a cookie and as a request parameter, with the server verifying if the cookie value and the request value match. Why DSCP? Now its obvious that a third party entity cannot perform a CSRF attack without the CSRF token, and in here attacker or the third party entity cannot get the token because its in a cookie, and third party web pages cannot retrieve cookies from another web page that has a different domain. For example, assume that the genuine web page is banker.com, and the attacker's web page is attacker.com, when a user logged in to the banker.com, and accidentally redirect to attacker...

In previous blog posts about OAuth 2.0  and  OAuth Grant Types  I discussed about the basic idea of OAuth 2.0 framework and the four main grant types of retrieving an access-token. Comparing all four grant types, you can see that the "Authorization code" grant type is somewhat complex than the other three grant types. So, I thought about developing a simple web based java application just to demonstrate the message passing (requests and responses) flow of  OAuth 2.0 Authorization code grant type. Again, if you are not familiar with OAuth 2.0 framework or its grant types, visit my blog posts about, OAuth 2.0  OAuth 2.0 Token Grants   😊 As I was saying, I developed an application to demonstrate the flow of authorization_code grant, and I used JAVA as the language, Apache Maven as the building tool and Apache Tomcat as the web server. Lets see how this works. 😉 As you remember, the first thing to do as a client is to get the authorization code....