Synchronizer Token Pattern (STP)
This is the second part of the series “Introduction to Cross-Site Request Forgery (CSRF)”.
Introduction
In my previous blog post, I explained the concepts of CSRF, its risk and pointed out the prevention strategies. In this blog, I will be demonstrating the first prevention method, “Synchronizer Token Pattern”. Before I begin, let me define some terms and the prerequisite knowledge needed to understand STP.
Token — A secret and unique value given for each request to the server
Ajax — STP method uses ajax calls to request the Token (it is a simple snippet, so no worries)
Let’s Dive Right In
The importance concept being STP is the method of validation of a form. Any form originated from the legitimate web page will always have a CSRF token and it will be compared with the token stored at the Server. Therefore, the attack methods I explained in the earlier blog post will be useless since it does not contain the CSRF token.
I have developed this application in HTML,JavaScript and PHP. You can find the source code 👉here👈.
Note : I have hardcoded the username and password.
Username — user@gmail.com
Password - yolo
Step 1 : The user logs in with valid credentials.
When the user logs in with valid credentials, a session id is assigned and the user is sent to the feedback page.
Step 2: The feedback page is sent as a response
In the source code below, you can observe that there is a hidden input. But, it’s value is not set. The CSRF token will be set as the value as soon as the response is given to the ajax call.
Step 3: When the feedback page loads, asynchronously it requests the CSRF token from the server.
The XMLHttpRequest object is used to exchange data with a server behind the scenes.
To send a request to a server, we use the open() and send() methods of the XMLHttpRequest object.
The onreadystatechange property defines a function to be executed when the readyState (holds the status of the XMLHttpRequest) changes.
Note: To understand this ajax snippet more clearly, click on the bold key words.
In general, an ajax call is sent to token_gen.php in the server to request a token.
Step 4 & Step 5: CSRF token is created and stored in the server, the token is sent a response.
As I mentioned earlier, the CSRF token should be a random value. This can be achieved by using openssl_random_pseudo_bytes(32), which creates a random string of 32 bytes. This should encoded in base64 to make the token difficult to read if intercepted. Once the token is generated, it is stored as a Session Variable and also written to a text file. In order to identify the token’s identity, the session id is stored along with the token.
Once the file is written, the Session token can be sent as a response to the ajax call.
Step 6: The CSRF token is received and updated to the hidden value in the form.
Step 7 & Step 8 : The form is submitted and the values are compared
The token from the form is compared with the stored CSRF token in the text file. Along with it the Session cookie is validated with the stored Session Id.If the form is from the legitimate website, it would have the hidden token and it would be successfully validated.
Conclusion
STP is a good method to prevent CSRF attacks but as a downside it needs to store token & session pair for each user in the server. This would overload the server if the website has many logged in users because the validation is done at the server side.
In my next blog post, I will be demonstrating Double Submit Cookie Pattern.If you have any questions regarding STP, feel free to comment below. I will try my best to answer them.