Skip to main content

Synchronizer Token Pattern


Synchronizer token pattern is one of the prevention methods for Cross-Site Request Forgery (CSRF). It uses a value called CSRF token which is unique for a session identifier. When the user login to a website, the server generates a random value called token for a particular session. The token is saved on the server as well as the browser (after obtained from the server). PHP identifies the session using the session variable ‘PHPSESSID’ which is also stored in the browser as the cookie to identify a particular session. The server validates the user when each request is made, via comparing the token value in the server and token value in the browser. Through this write up how synchronizer token pattern is implemented and how does it works will be described. 
(Click on the images to view clearly)


Source code of the implemented program can be downloaded from here

I have implemented a login page called index.html to enroll a user to the server.




The username and the password are hardcoded. When the form is submitted, the form data will be submitted to login_handler.php. According to the program, if the user enters a valid username and password, the user will be redirected to the home.html form while creating the session identifier. By default, the session identifier is saved as a cookie in the browser when session_start() is activated. At the same time, cryptographic random value (CSRF token) is generated in binary in size of 32. It is converted to hex value and assign to session variable called token. Invalid credential redirects the user to the login page again.




The server-side program called get_csrf.php will return the stored CSRF token for the particular session in the JSON encoded format.



In home.html a javascript code is implemented to get the CSRF token value from the server. The script will be executed when the home page is fully loaded. We have written an ajax call to get the token value from get_csrf.php. Ajax call processes the request in the background without refreshing the page and returns the intended value. Through jquery, the returned string value of ajax request is converted to JSON using json.parse(function). The JSON object will then be assigned to the variable named ‘obj’ and the CSRF token will be extracted. The extracted CSRF token will be set to the hidden field (to DOM element) of the form using the hidden filed's id called ’dom_csrf’.

When the user submits home.html form, the form data will be sent to form_submit.php.


The CSRF token stored in the hidden field also will be sent along with other data of form to form_submit. After the server got the request, the CSRF token received through the form data and the CSRF token stored in the particular session will be compared. If it is matched, the request will be accepted and a success message will be shown. Otherwise, a message that says the token value is not matched is displayed when the token is mismatched or the token not exist.

Comments

Post a Comment

Popular posts from this blog

Cyber Chef - Bake your data!

The cyber chef is a security tool which uses for encoding, decoding, encrypting and data analytics. It is available on GitHub ( https://gchq.github.io/CyberChef/ )  and provides services from simple encoding process to complex encryption process. It was implemented for the British government as a  part of MI5 and MI6 project. However, now it can be used by both technical and non-technical personnel without the knowledge of algorithms. The cyber chef is a freely available web application that can be used online. The offline version is also available to download. The cyber chef has some features to complete conversion tasks. Input –  Where to paste or write text that wanted to convert. Up to 500mb file can be dragged to the input field. Output – Where converted text is displayed. Recipe – where tools used for converting are dragged and dropped. Operations – Contain all the operations. These operations covert input text into selected form and display in output filed.
Post a Comment
Read more

Change Language in Google Account

When we create an email address, sometimes we do not consider the language preferences. Afterward, when we log in to a google account, context will be shown as unfamiliar. So we can change the language preferences of google account by following steps.  1.  Click on the Google profile and select google account 2.  Select data & personalization settings. 3. Scroll down and go to general preferences for the web. And click language. 4. If you need to change the default language, click on the pen sign. 5. If you want to add more languages, click on add other languages.
Post a Comment
Read more

Exploit Windows 2000 machine using the Metaspolit framework from the Kali Linux machine.

Exploit Windows 2000 machine using the Metaspolit framework from the Kali Linux machine. When the windows 2000 the machine came for public use, many vulnerabilities were identified. This was caused by the number of vulnerabilities in IIS services. Many attacks came from remote sources through the internet and there were critical flaws due to the vulnerable encryption methods. From this article how the vulnerabilities of windows would be identified using Nessus, and exploit it using Metasploit in kali machine will be described. To do it I am using my main operating system (OS) kali and virtual machine windows 2000. For that IP range of both machines should be in the same range to ensure those are in the same network. Therefore network setting was fix as bridge adaptor in windows virtual machine. Check IP of kali using ifconfig Check IP of windows using ipconfig Then Nessus vulnerability s
Post a Comment
Read more