Open in app

Sign in

Write

Sign in

CSRF DOUBLE SUBMIT COOKIE PATTERN

Hasanka Amarasinghe
4 min readOct 13, 2019

--

What is the CTRF?

Cross Site Request Forgery (CSRF) is a malicious attack that the unwanted action in an application is execute which user is login into the web browser. That type of attack can result in damage client relationships, unauthorized fund transfers change passwords and data etc. This type of attack is conducted by malicious social engineering, that use email or link for sending a forget request to a server. So, user will be accepting their application at the time of the attack, it’s chance to distinguish a legitimate request from a forged one.

About

Here we discuss about Double Cookie Pattern. Basic mechanism of this method is sending a random value in both a cookie and a request parameter, with the server verifying if the cookie value and request value are equal.

How does it work?

((diagram of double submit cookie )

First user login to the site, the site generates a session identifier and set a cookie in the browser. At that moment it generates strong random value (CSRF token) for the session and set that value as a cookie on the user’s machine. Always this random value as a hidden and saver does not have to save this value in any way.

When user login to the application by entering email and password this login form submits user credentials using a POST method. After the server-side will generate a unique session identifier and the CTRF token and also server doesn’t store the CSRF token.

Then the server will response the corresponding CSRF token within their response body. After that generated session id & server respond CSRF token set as cookies in the browser. Then the corresponding CSRF token added to the hidden field.

When the user clicks “login” button the POST request send. Then the server check and accept the cookie header for session id and server compares CSRF token from request body against the CTRF token from the header cookie. If these tokens matched, then server accepts the request.

How to implement it?

I let on this example:- click here

This application is developed using PHP and JS and also, I show you how CTFR works on. First

You enter the email and password for the demo and login.

Email — hasanka@gmail.com

Password — hasanka123

(interface of my web application)

If the user authenticated successfully, the server side create a session id and CTRF token. As I mentioned above, sever doesn’t store CSRF token in this scenario.

(Set email and password)

(After successfully login)

Then after user redirect to user status update page. There implement ajax call will retrieve cookies and split them to get only the CTRF token. It will embed it to the hidden field in the form.

(Hidden Field in the form)

The user fills the entire dscaddinfo.php page and submitted, then the server compare it’s server side session-Id with request header session-Id, and also it compares the CTRF token in the hidden field with the token in the request header.

If the token is matching, the server will be accepting by the server.

If not, there will be an error message.

Thank you!

JavaScript

--

--

Hasanka Amarasinghe
Hasanka Amarasinghe

Written by Hasanka Amarasinghe

191 Followers
18 Following

Blogs on latest security events + CTF writeups

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams