Tuesday, April 22

How to avoid CSRF - Cross Side Request Forgery attack






How to prevent CSRF using.

CSRF attack can be prevented using Synchronized Token Pattern.

When an HTML form is rendered ,server assigns it a unique and random identifier in the form of hidden http parameter. Server

Also stored the unique identifier in user session profile

When This form is submitted server compares the identifier's value in hidden field with value stored in user session profile . If value matches only then request is further processed otherwise request is aborted.

Thus if any evil website tries to submit a form with forging the client request information in that , it is not able to generate the unique identifier As
It does not know How to get it , It's not there on client cookie , it's not guessable . So attacker can't make CSRF attack.





For example : If a form named businessForm is rendered is follow ,server creates random token and form store that in hidden field. Also it's value is sotred
in user session

businessForm
">


CSRF_identifier">123#rret_val</>



When user submit this form token value is validated. Evil site can't steal this random number So that request will be rejected and CSRF attack will be prevented







CSRF - Cross Side Request Forgery





When you are accessing your bank website ,Why should you not open any other tab in same window with some unknown /evil application?

You might become s CSRF prey.

How does that happen ?

LEt's understand this with an simple example.

Let's say you open the browser and login to you bank website www.mybank.com with your username/password.

When you Do this bank might persist your authentication token in cookie. For eample : You login to the website using your username/password and bank website
,after successful authentication , stores in client cookie "isUserALreadyLoggenzIn"="true"







After this you open an evil website in new tab , may be by clicking on some link on some other page in the same window . Now that evil website might contain

a form like this



name="amonut" value="50000"

Win Lottery

On on page opened with evil website link you click on Win Lottery button. This click submits a request of money tranfer and money is transferred to some
other account without your knowledge. Application identifies the logged in your using cookie data and there "isUserLoggedIn" is already set to true So no problem comes in authentication.



This example is Just to cover the CRSF i.e. cross side request forgery . These days bank application and browsers are much more intellient to

defend against these evils .