Last active
March 12, 2022 13:17
-
-
Save Sikandarkhan/5a456b1b5872250e6f77e99e22cbbebb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Cross-site request forgery attacks (CSRF or XSRF for short) works by an attacker gaining access to a victim’s browser – typically through a malicious link. An attack targets Web applications failing to differentiate between valid requests and forged(maliciously crafted, unauthorized) requests controlled by the attacker. Successful CSRF attacks can have serious consequences. Such as initiating bank transactions, purchasing an online good, Reset a password etc,. | |
| How does a CSRF attack work? | |
| On their own (phishing site), an attacker could create an button or form that creates a request against your bank site: | |
| <form action="https://vulnerable-website.com/password/change" method="POST"> | |
| <button type="submit">Click here for free Pizza!</button> | |
| </form> | |
| In the forged requests silently can change the password for your bank account. Reference image 1 | |
| There are ways to mitigate CSRF attacks | |
| Using the CSRF tokens in simple 3 steps CSRF attack can be prevented. Process includes | |
| 1. Server sends the client a token. | |
| 2. Client submits a form with the token. | |
| 3. The server rejects the request if the token is invalid. | |
| Using the CSRF tokens, a good number of solutions are designed such as Synchronizer Token Pattern(STP), Double submit cookies. One of the more popular and widely accepted anti-CSRF attack solutions is CSRF Tokens. All modern web application programming languages support CSRF token. | |
| To implement this we can use ExpressJS. This is one of the popular nodejs web frameworks - light, fast and easy to learn. In simple 4 steps you can write the server side application | |
| 1. Import the required module | |
| 2. Initiate the module | |
| 3. Write your route handlers / api. Logic fetch from database, render the pages and return JSON etc,. | |
| 4. Listen on the port such as 8080, 3000 etc,. | |
| Csurf is the official nodejs CSRF protection middleware. | |
| 1. We need to create middleware for CSRF token creation and validation. | |
| 2. And we shall use cookie-parser npm module to store the csrf token during the request - response with the web server. | |
| 3. We need to pass the token in hidden value using the middleware | |
| 4. This token is validated against the visitor's session or csrf cookie. | |
| If token is tampered/ altered then the User request will be denied by the Web server as it is breaching the trust. | |
| Assuming if the token generated from th server and client request matches, then connection will have handshake. | |
| Demo code shared here : | |
| https://github.com/Sikandarkhan/csrf-token-expressjs | |
| Demo video | |
| https://github.com/Sikandarkhan/csrf-token-expressjs/blob/main/README.md | |
| Apart from the CSRF token implementaions standard 5 rules to remember while write an application ; | |
| 1) Use only JSON APIs - by accepting only JSON, you eliminate the possibility of the above form. | |
| 2) Disable CORS - only allow it on OPTIONS, HEAD, GET as they are not supposed to have side-effects. | |
| 3) Check the referrer header | |
| 4) GET should not have side effects - make sure that none of your GET requests change any relevant data in your database. | |
| 5) Don't support old browsers - Old browsers do not support CORS or security policies. | |
| Thank you. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Reference Image 1
Validation of the token