CSRF Protection 101

Cross Site Request Forgery (CSRF) is an attack where the hacker manipulates the user to carry out the attack by using the legitimate URL and the hosted website. This looks the same as the original site where the data the attacker wants to access is hidden.

When the URL is sent to and clicked by the victim, the data is POST requested to the original URL with the cookies and payload. This is because the server only checks the cookies from the browser to validate. If the cookie is valid and the user is logged in, the server processes the request.

Examples of CSRF attacks include:

  • If the attacker wants to shut down a server, he can use an admin with that capability and send him the fake site with the data to shut down the server. When the victim clicks on the link, the server will be shutdown.
  • Posting a post on someone’s wall (ex: Facebook) pretending to be the legitimate user.

In a normal client server request, a POST request is sent and the server only checks for the session cookie. However, to protect against CSRF attacks, the server now checks for a ‘CSRF token’ along with the session cookie.

There are two methods for CSRF protection:

  1. Synchronizer Token Pattern
  2. Double Submit Cookie

Synchronizer Token Pattern

Synchronizer token pattern is one way of preventing Cross-Site Request Forgery (CSRF) attacks from attackers. The attacker cannot do this process because the token cannot be requested from the endpoint URL. Since the Ajax code cannot be written in cross-site domains, the attacker cannot obtain the token and it will fail.

PHP Implementation Code

In the login page, generate the CSRF token along with the session cookie and store it in the memory.

 

Run the Ajax code in the next page to receive the CSRF token.

 

Implement a code for the server to send the token.

 

The server will then send the token.

 

On submission of the form, the token should be sent in a hidden field.

 

Validate the token.

Double Submit Cookie

Double submit cookie is another method of preventing CSRF attacks. The attacker cannot carry out this process because the CSRF cookie forms in the browser, making the CSRF cookie inaccessible to the hacker. The user will not gain the cookie from the body of the page.

 

PHP Implementation code

Create the CSRF cookie along with the session cookie and store it in the browser.

 

In the above diagram, since the secure flag is set, we have to send the request as https.

If you want to send it in http request, we have to disable the flag.

setcookie(‘csrf_token’, $token, time() + 3600, ‘/’, ‘localhost’,false);

 

Get the CSRF token from the CSRF cookie of the loaded page.

 

The token should be sent in a hidden field when submitting the form.

 

Validate the CSRF token.

 

The main disadvantage in the double submit cookie method is that, if the site is vulnerable to cross-site scripting, the attacker can use SSH and steal the cookie. However, the double submit cookie does not need a database.

The synchronizer token pattern needs a database, but the attacker cannot use SSH and steal the cookie. It is more secure than the double submit cookie.

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *