Thursday, October 4, 2018

Synchronizer Token Pattern


Securing Your PHP Web Application Using Synchronizer Token Pattern
There are a lot of security vulnerabilities in web applications. SQL injections, Cross Site Scripting (XSS), Broken Authentication and Session Management are a few to be mentioned. In this blog post, I’m going to explain about the Cross-Site Request Forgy (CSRF) attacking and about securing a PHP web app from CSRF attacks.
CSRF Attack - What is it?

Almost all of the web applications use client-server architecture to communicate between the client (front-end) and the server (back-end). This process happens in the form of network / API calls or requests. For example, imagine a banking application where you can transfer money from your account to another. When the request is made by clicking the transfer button after entering the necessary details, the client application will send this request to the server to perform the transaction.
Here is where a CSRF attack can take place. Simply what happens in a CSRF attack is, a similar unauthorized request is sent from the client application to the server without the knowledge of the user. There are a lot of ways to do CSRF attacks. You can get a good idea about them here from Wikipedia.
CSRF Attack

                                
                                              Image – google.com


Synchronizer token pattern is one of the many ways to protect a web app from CSRF attacks. Here I will explain about Synchronizer Token Pattern and how to implement this using PHP.
For a better understanding, you should have some preliminary knowledge of cookies and how they work. If not please get some knowledge by referring MDN site.

Synchronizer Tokens - How Do They Work?
                        
                                                                                    Image – google.com
I have built a simple web application to demonstrate how synchronizer tokens work. Upon successful login, a user can post something including first name and last name.
If the server validates the user credentials on login, the server generates a session ID and a CSRF token for the session. The generated session ID is set as a browser cookie.


                                                           Code to generate the Session ID and the CSRF token.

When the user enters the data and submits the form, the Cookie with Session ID and CSRF token is sent to the server. This is done using a hidden input field. The server validates the Session ID and CSRF token and updates the data.

                                                       The hidden field which sends the token to the server.
Working Application
The source code is available at GitHub.
                                  
                                                                                                    Login Screen


                                 
                                                                                            Update User Form
                              
                 User update success


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)