Double Submit Cookies Pattern - Node.js


Hello! I hope you had a good day and an awesome week. 😊

In this post, we are going to talk about how to prevent Cross-site Request Forgery (CSRF) using Double Submit Cookies Pattern and its Node.js implementation. If you are unaware of CSRF, I recommend you to read my previous post here as it is crucial to understand Double Submit Cookies Pattern.

 Prerequisites are the knowledge about cookies, CSRF and Synchronizer Token Pattern.

 As discussed earlier, there are some drawbacks of Synchronized Token Pattern, namely,

  • The requirement of excessive storage space in the server due to the fact that all the CSRF tokens are stored.
  • Useless if the server supports cross-domain AJAX requests.

To overcome the aforementioned reasons and to prevent CSRF, Double Submit Cookies Pattern can be used.

Double Submit Cookies Pattern


Double Submit Cookies Pattern

When Harry signs in to the bank’s website using his username and password, the bank’s server would create a session and a unique CSRF token for him. Unlike in Synchronizer Token Pattern, CSRF token would not be saved in the server. Instead, it is sent in a cookie to the browser along with the session cookie. Both cookies can be created at the same time or CSRF token cookie can be created after the session cookie. Once Harry requests the ‘Money Transfer’ page, the server returns the related HTML page. JavaScript inside the returned page would read the cookie and put CSRF token value in a hidden field like in Synchronizer Token Pattern.

                                   <form>
                                   <input type=”hidden” name=”X-CSRF-TOKEN” value=”PQR” />
                                   </form>

When Harry submits the money transfer form, CSRF token is sent in the body with rest of the data along with all the cookies created by the destination domain, which in this scenario is ‘unionsavingsbank’. So, both session cookie and CSRF token cookie would be transmitted in the header of the request. The server then validates the request by comparing the received CSRF token value against the value of received CSRF token cookie. If valid, the request is processed.

How this prevent CSRF is due to the fact that cookies from one domain can’t be accessed by other domains. So, if a malicious website tries to attack, it won’t be able to read the cookies created by ‘unionsavingsbank’ domain resulting it not being able to read CSRF token cookie.

One drawback in this method is that we can’t set ‘httpOnly’ flag to CSRF token cookie as JavaScript won’t be able to read the cookie if it is applied.

Node.js Implementation

The template I used for this application can be found at,
 https://colorlib.com/wp/template/login-form-v2/


Login Page


Shown above is the login page, which simply accepts username and password. Once the ‘LOGIN’ button is clicked, the application sends a POST request to the ‘/home’ endpoint of the server where the user is validated and redirected to the home page where transferring money can happen.


/home Endpoint


Above shows the ‘/home’ endpoint where it can be seen that during the login, three cookies, session-id, date and csrf-token will be created. In the generation of session-id UUID (universally unique identifier), the timestamp is used and csrf-token UUID is generated randomly. Cookies are seen in the browser as follows.

Created Cookies


When successfully logged in, the user is directed to the following home page.


Home Page

Home Page HTML


Above shows the HTML code of the home page which contains a form for money transfer. There it can be seen during the form load, JavaScript reads the csrf-token cookie and put it in a hidden field as below.




Once ‘TRANSFER’ button is clicked, a POST request is sent to ‘/transfer’ endpoint where the CSRF token value is validated with csrf-token cookie value as below.


/transfer Endpoint


In this scenario, transferring of money happens only if the two values are equal.

This way Cross-site Request Forgery can be prevented through Double Submit Cookies Pattern.

The full implementation of this example can be found at,
 https://github.com/hinami95/double-submit-cookies-pattern-nodejs

I hope now you an idea what Double Submit Cookies Pattern is and how to implement it using Node.js.

Although the web application is now CSRF protected, there are so many other vulnerabilities it can contain. You can read about them at,
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

I wish you all an amazing week ahead! Adios 😊






Comments

Post a Comment

Popular posts from this blog

Synchronizer Token Pattern - Node.js

Image
Hello! I hope you had a good day and an awesome week. 😊 With the advancement of technology in information and communication sectors, millennials are electronics-filled, increasingly online and socially networked, which is exactly why everything can be done once you are connected to the internet. Doing online transactions have become so much easy making it is just a button click but, can we guarantee the safety of these transactions? Cross-site Request Forgery (CSRF) is a type of attack which targets such online transactions. You’ll need to have the knowledge of cookies as a prerequisite to fully understand CSRF. What is Cross-site Request Forgery? Cross-site Request Forgery (CSRF) is a malicious exploit of a website where unauthorized commands are sent from a user the website trusts, without this particular user’s knowledge. This is a vulnerability found in websites. Let’s see the below example to understand CSRF. Cross-site Request Frogery When Harry ...
Read more

Implementing an OAuth 2.0 Client - Node.js

Image
Hello! I hope you had a good day and an awesome week. 😊 Daily we come across many websites that would require us to register with them in order to fulfil our requirements. As we need to complete our work we would make an account on these websites even though we are not going to use them regularly or ever again. This would result in a long list of usernames and passwords for us to remember and forgetting at least one would be a troublesome task of resetting it. As a solution to this problem, Single sign-on was introduced along with social logins. Single sign-on provides a way for users to have a single set of credentials (username and password) for multiple applications. This was achieved using social logins, where existing login details of a social platform provider can be used to register to a third-party website instead of creating a new set of credentials. OAuth 2.0 is a framework which helps in such a situation. What is OAuth 2.0? OAuth (Open Authorization)...
Read more