If storing the CSRF token in session is problematic, an alternative defense is use of a double submit cookie. A double submit cookie is defined as sending a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match.when a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session id. The site does not have to save this value in any way, thus avoiding server side state. The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value he wants with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie. Since the cookie value and the request parameter or form value must be the same, the attacker will be unable to successfully force the submission of a request with the random CSRF value.
This Demo will be explain how its works.
First you will get a login page which you can enter user name and password. The username is 'admin' and password is 'password'. When you enter the login button the process will be start.
This is the source code of the login page. User name and password has been hard coded . after login details are match it will create an session and that will be call for Token class.
In this Token class , there is a function generate_token , it will be a create a random number (it can be anything unique) and it ll be set as COOKIE Value and name of the cookie will be csrf. that will be save in the server side. that token will generate for only that person who logged in.
And that will be enroll u to enter secret code and the verify code. same as before secret code is 'secret' and Verify code is 'verify'. when u inspect the form there will be hidden input field with value of unique number. and source code of the this page as below,
as code shows , the hard coded value will be compare with the value entered.When the page load there is a script to run. AJAX function function will be called in that script.
In this AJAX function it will call the endpoint call endpoint.php as show in upper figure and in the endpoint the COOKIE value we create when we login to the system will be assign to the JSON array.When the AJAX return that value in success function and and that value append to INPUT HIDDEN field in the form.When you submit that form it will compare the value value hard coded and it ll call the function check_token IN TOKEN class. what that check_token function do is it will check the value inside the form in THAT HIDDEN INPUT Field and the value saved in the COOKIE($_COOKIE['token'] == $_POST['csrf_token']) should be same. if it is same it will show the success message.
What attacker going to do is copy the whole source code and insert the value attacker want and it will send with on load function. what i have done here is i ll change the input field value and and submit the form.
When i submit the form it will compare the value with which store in the session and the value in INPUT HIDDEN field. and it will not valid the token and that process could not be success. and it will show the error message.
GIT HUB Link : https://github.com/reaper-xx/Double_Cookie_Submit.git
Comments
Post a Comment