I have been reading about using a synchronizer token pattern to prevent CSRF (CSRF meaning Cross-site request forgery.), and I don't understand how it actually safe.
Let's say I have a fake bank site fakebank.com with two urls:
fakebank.com/withdrawForm.html
- a GET request which displays the withdraw money formfakebank.com/doWithdraw
- POST to this url to do the withdrawMy understanding of the security flaw is that maliciousSite.com
can spoof a POST request to fakebank.com/doWithdraw
, and if you're currently logged in to fakebank, the POST will be successful.
Let's say we implement a Synchronizer Token Pattern which will embed a secret code on fakebank.com/withdrawForm.html
. Can't maliciousSite.com
just spoof a GET request for that form, parse the html result, get the token, and then create the POST request with that token?
This is assuming fakebank.com isn't checking HTTP Referrer or Origin or maliciousSite.com
is successfully spoofing that the Referrer/Origin is fakebank.com.
CSRF tokens can prevent CSRF attacks by making it impossible for an attacker to construct a fully valid HTTP request suitable for feeding to a victim user.
Synchronizer token pattern (STP) is a technique where a token, secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side. Then the token is generated by the server with ensuring the uniqueness. In here server generates token per every session.
The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests. The token should be: Unpredictable with high entropy, as for session tokens in general.
A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.
The reason why this is secure, and maliciousSite.com
cannot simply do a GET
, steal the token, and then do a POST
is that the request is done by the user's browser, not by the server at maliciousSite.com
. All data returned from fakebank.com
is returned to the user's browser, not to the server at maliciousSite.com
. If maliciousSite.com
does perform a GET to retrieve a token, it will be a different token than was issued to the user. maliciousSite.com
cannot set this cookie into the user's browser to be submitted to fakebank.com
because of same-domain restrictions.
The CSRF POST
attack works by tricking the user's browser into requesting fakebank.com/withdrawForm.html
directly using a properly formed POST
request. The server at fakebank.com
happily executes the requested POST
, thus transferring funds using the parameters supplied in the POST
body (which include a destination account belonging to the attacker that was put there by maliciousSite.com
). The server at maliciousSite.com
doesn't need to see the data returned, because the action has been taken (unless fakebank.com
uses these CSRF tokens, which the maliciousSite.com
can't possibly know unless it has been divulged in some way. It can't ask for it). If fakebank.com
is using CSRF tokens, then maliciousSite.com
will submit a POST
request that is missing the token, thus indicating a potential CSRF attack in progress.
Vulnerabilities of this method include using a CSRF token that is not kept sufficiently secret and is divulged in some way. Also, if the CSRF token is not sufficiently random, then maliciousSite.com
might be able to guess it. Also, if there is a weakness in the browser's enforcement of same domain policy, this could be exploited. Generally speaking, modern browsers are not vulnerable to this.
Please let me know if this is an insufficient explanation and I'll attempt to articulate it a little better for you.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With