Thursday, May 10, 2018

CSRF Token

Cross-site Request Forgery Protection in web applications via Synchronizer Token Patterns


What is Cross_Site Request Forgery Protection (CSRF)?
This is a kind of attack and type of a malicious exploit of a website. We also name this attack as the one-click attack or session riding. This forces an end user to execute unwanted actions on a web application in which they're currently authenticated. This attack is mainly focusing on state-changing request, not theft data.

As an example, if the user 'A' wants to transfer the 200$ to the bank 'B'.He needs to send a request to the bank 'B' and bank will send the response by authenticating user 'A'.There is an attacker he/she needs to fraud this money form user 'A'.what the attacker can do is he will create a malicious web link and send it to the user by forcing to click that link . while the user clicks the link for the transferring purpose but the thing is attacker was transferring the money to his account. To avoid such kind of stateful attacks we need to enable CSRF protection in our web pages.

In this blog post, we are going present how to mitigate such kind of attack by enabling CSRF token validation.


We have a simple login page to provide username and password which is checked with the hardcoded values. Once the authenticated user login to the system it will create a session and also generate the CSRF token on the server side. When login successful, token will be stored in a hidden field on the web page. After authenticating his or her identity to the website user wants to continue his or her activity by submitting whatever the action. At this time stored token in the hidden field will check with stored CSRF token value in server side. If the stored token value in the hidden field wrong the system will redirect to the login page by avoiding your response. Otherwise, it will continue the process by assuming an authenticated user has logged in to that session.

Let's see this source code....

  • This is the file structure and you can clone it from the GitHub and run it on localhost.




  • This is the index.php file we create it as for our login page. You can enter your username and password. If the entered values are correct it will redirect to the result.php file.



  • This result.php file store the values which are passing through that text fields.If the user is valid one it will redirect to the home.php file.If not it will redirect again to the login page.




  • Here we come to token.php to execute generateToken function.That is the function of the CSRF token generating place. The token will be generated by random.



  • This is the file which checks tokenCheck.php




  • When the valid user login it will redirect to the home.php file.



  • Finally all the user login and token are valid it will redirect to the profile.php


  • If the token is valid it shows the following message and if not show the error message by redirecting.

This video will help you to understand how it works :)


Here is the link to clone sourse code through the GitHub








1 comment: