Synchronizer Token Pattern
Cross-Site Request Forgery (CSRF)
Before talking about the Synchronizer Token Pattern, we need to understand what Cross-Site Request Forgery (CSRF) is.
CSRF is a type of an attack where "a malicious website, email, any type of instant message or a program, etc. causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated". Browser requests automatically include credentials such as user's session cookies, IP address etc. -- that provides quite the use for CSRF to work, because, if the user is authenticated to the site, the site cannot distinguish between a legitimate or a forged request sent by the victim. In order to overcome prevent these types of attacks from happening, we require a token that cannot be accessed by the attacker and cannot be sent along with forged requests that are initiated by the attacker.
A CSRF token should be a large random number that is also unique per user session, and is also generated by a cryptographically secure random number generator.
Synchronizer Token Pattern
Synchronizer Token Pattern is where the generation of random challenge tokens that are associated with a user's current session, and these challenge tokens are then submitted within HTML forms and calls associated with sensitive server-side operations.
First step to implementing a Synchronizer token in your code is to set a randomly generated token as a session attribute after successful authentication, in your authentication servlet. Afterwards, you have to make sure to include the same session token in all your forms, so that whenever a said form is submitted you can verify the token value of the form with the session token value. If those two values prove to be equal, we can confirm the absence of forgery.
Below is a demo done using a simple Java application to give you a better understanding of how Synchronizer Token Pattern works,
1. Upon successful login of a user, the session will generate an ID and store it in the browser
2. Upon submission, the server side will generate a CSRF token
First step to implementing a Synchronizer token in your code is to set a randomly generated token as a session attribute after successful authentication, in your authentication servlet. Afterwards, you have to make sure to include the same session token in all your forms, so that whenever a said form is submitted you can verify the token value of the form with the session token value. If those two values prove to be equal, we can confirm the absence of forgery.
Below is a demo done using a simple Java application to give you a better understanding of how Synchronizer Token Pattern works,
1. Upon successful login of a user, the session will generate an ID and store it in the browser
 |
| Login Page |
 |
| Login is Validated and the Token is Generated Here |
2. Upon submission, the server side will generate a CSRF token
 |
| Server Side Generates the CSRF Token |
Comments
Post a Comment