my assignment for WS-CSRF

what is CSRF ?

expanded name: Cross Site Request Forgery. An attacking trick, that tricks a web browser into executing an unwanted action in an application to which a user is logged in.

In this assignment, our task were to develop a system, which is not vulnerable to CSRF (AKA XSRF) attacks.
There are 2 main methods to prevent CSRF attacks.
  1. Double submit cookie
  2. synchronized CSRF token


there are both solutions in my submission.

i simply hard coded user login credentials.

to try "synchronized token method", use these credentials to log.
username: aaa
password: aaa

to try Double submit cookie, use these credentials to log.
username: sss
password: sss


Double Submit Cookie

when a user logging in, i created a random value and saved as a cookie in my browser.
$_SESSION['token'] is used for debugging purpose(ignore it).

i created a cookie named 'tokenCookie' and inserted my random value to it. the token will expire in 1 hour.
that created cookie will be added to a hidden field in my every form via javascript.
when ever i submitted the form, both hidden value and my cookie will be send to the server side.
in server side, i check if both are same or not.
if both are same, no interruption happened. if not, it is a CSRF attack.
user will be notified about this.

 Synchronized Token

when ever a user logs in, the system inserts a random token value to server database.
in may page, when ever the page is loaded,i used an ajax and loaded a text field into the form (it should be a hidden text field), which contains atoken value( which i took from my database.)


  below image will describe the ajax code.
this ajax load happens after the page is loaded.
then, after submitting the form, the token value will pass to the server as a POST value.
in server side, i also checked the token which came with POST data, with my database token value. if they are same, no attack happened. if they are not same, there may be an attack and, the user will be notified.

<<Github link>>

Popular posts from this blog