Skip to main content

Double Submit Cookie

Double submit cookie is one of the prevention method for Cross-Site Request Forgery (CSRF). Same as the synchronizer token pattern, it is using a cryptographic random value to validate a request agent. However, the implementation is different since the way it is saved is dissimilar. Here, the generated token value is saved in the browser, not on the server. Therefore servers no need to save huge amounts of data. When a user makes a request, the server compared the token value in the form DOM element (in the body) and token in the cookie header of the request. 
(Click on the images to view clearly)
Source code of the implemented program can be downloaded from here.
A login page, index.html has been implemented to enroll users.



Once the user entered the credentials, the form data will be submitted to login_handler.php using POST method.


If the username and password are correct, the user session is started and the username will be assigned to the session variable 'uname'. By default, the session identifier is saved as a cookie in the browser when session_start() is activated. Then the 32-byte length random binary is created and it is converted to a hex value. The random value (CSRF token) is assigned to the variable ‘token’. Further, the token is set as a cookie in the browser by passing the parameter like, token name, token value, and life span (1 day). Then the user will be redirected to home.html. The failed logins are redirected to index.php. 


In home.html, using getCookie function, particular CSRF token value will be extracted from the cookie and the derived value is assigned to the DOM element which has id as dom_csrf.



When the user submits the home.html form, the form data will be sent to form_submit.php.


The form_submit.php checks whether the token value in cookies is available or not. At the same time, token value in the form DOM element is compared with token value in the cookie. If both the values are same, the program displays a success message. If not CSRF token not matched message will be shown when the token is mismatched or the token not exist.

Comments

Post a Comment

Popular posts from this blog

Cyber Chef - Bake your data!

The cyber chef is a security tool which uses for encoding, decoding, encrypting and data analytics. It is available on GitHub ( https://gchq.github.io/CyberChef/ )  and provides services from simple encoding process to complex encryption process. It was implemented for the British government as a  part of MI5 and MI6 project. However, now it can be used by both technical and non-technical personnel without the knowledge of algorithms. The cyber chef is a freely available web application that can be used online. The offline version is also available to download. The cyber chef has some features to complete conversion tasks. Input –  Where to paste or write text that wanted to convert. Up to 500mb file can be dragged to the input field. Output – Where converted text is displayed. Recipe – where tools used for converting are dragged and dropped. Operations – Contain all the operations. These operations covert input text into selected form and display in output filed.
Post a Comment
Read more

Change Language in Google Account

When we create an email address, sometimes we do not consider the language preferences. Afterward, when we log in to a google account, context will be shown as unfamiliar. So we can change the language preferences of google account by following steps.  1.  Click on the Google profile and select google account 2.  Select data & personalization settings. 3. Scroll down and go to general preferences for the web. And click language. 4. If you need to change the default language, click on the pen sign. 5. If you want to add more languages, click on add other languages.
Post a Comment
Read more

Exploit Windows 2000 machine using the Metaspolit framework from the Kali Linux machine.

Exploit Windows 2000 machine using the Metaspolit framework from the Kali Linux machine. When the windows 2000 the machine came for public use, many vulnerabilities were identified. This was caused by the number of vulnerabilities in IIS services. Many attacks came from remote sources through the internet and there were critical flaws due to the vulnerable encryption methods. From this article how the vulnerabilities of windows would be identified using Nessus, and exploit it using Metasploit in kali machine will be described. To do it I am using my main operating system (OS) kali and virtual machine windows 2000. For that IP range of both machines should be in the same range to ensure those are in the same network. Therefore network setting was fix as bridge adaptor in windows virtual machine. Check IP of kali using ifconfig Check IP of windows using ipconfig Then Nessus vulnerability s
Post a Comment
Read more