Last blog covered the topic on what is CSRF and how it works. This blog is the continuation of CSRF attack prevention. Synchronizer Token Pattern is one of the main solution for the CSRF attack.

What is STP?

It is a CSRF prevention technique where a “token”, which is a secret,unique value for every request is embedded within the web application ( in HTML Forms which is verified on the server). It was able to see that CSRF attacks only targeted state-changing requests. Since there is no way to see the response to the forged request,data theft cannot be done.

Prevention

Generate a random string in server side and append it to the body of the front end. Check both values when user submit web page.

The above diagram shows how the STP is used in HTML POST Forms to prevent from CSRF attack. The Token stored in the server and Token in the hidden file are compared to check whether both are same, so that the next action could perform. By implementing this prevention method, The CSRF attacks which are done through POST method by the attacker is blocked.

For better understanding of this A simple HTML,JavaScript and PHP project is done.

The UN and Password is hardcoded as anony@gmail.com and gT$0om

1.Login with the credentials

• 

Once the client logs in with their credentials, a session ID is created then they are redirected to the feedback form.

2.Feedback Page sent as response

You can observe that there is a hidden input in the source code of the feedback form below without a value. The CSRF token will be set as the value as soon as the response is given to the ajax call.

To exchange data with a server in the backend, XMLHttpRequest object is used. (To know about XMLHttpRequest visit https://www.w3schools.com/xml/ajax_xmlhttprequest_create.asp )

open() and send() is used to send the request to the server, these are the methods of XMLHttpRequest

onreadystatechange	Defines a function to be called when the readyState property changes
readyState	Holds the status of the XMLHttpRequest.

Ajax call is sent to request for a token in the server, In my project I have used a separate PHP file to generate the token.

3.Creation of Token

Token which is generated should be a random number therefore, openssl_random_pseudo_bytes is used to generate random numbers. These random numbers are encoded in base64_encode so that it will be hard to read even when intercepted.

The generated token is stored as a Session Variable and written in the text file, to identify the token, the session ID is stored along with it. To write in the text file

Once the file is written, the Session token can be sent as a response to the Ajax call.

4.Token stored in Hidden File

5.Token Comparison for Validity

If the form is from the genuine website, it would have the hidden token and it would be successfully validated. Although STP prevents CSRF attack it has its drawback which is, the need to store token and session pair for each user in the server. This might overload the server if there are too many users logged in. (Remember the validation is done in the server side). Double Submit Cookie helps to overcome this drawback.