"Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request.
This blog describes you a method that can apply to protect your own website by generating Cross-Site Request Forgery Tokens in server side and validating them before respond to any client request.
Now we'll move on to a sample website to understand the method we discuss above..,
Here I have 5 .php files and one .txt file called "authKeys".. and other files are used to add some effects to my web page.. ;)
and here is my "index.php" page..,
When an user logs into the website using his/her credentials (in here my Username is "JANITHA" and my Password is "SSE"), the log in a session will be created and the session id will be used to map with the CSRF token that will be generated along with the session creation.
Then if, he/she has entered the right credentials, the user will re direct to an another page if will ask for his/her first name and last name. And there will be a token stored in the "authKeys.txt" automatically..
Once the user enter the First Name and the Last Name CSRF token will be validated. If it is valid user will get a message saying that "Token is Valid".
https://github.com/janitha1st/Sample-Synchronizer-Token-Patterns-
and this is just a one simple method.., you can try many ways to do the same thing..
Try different and make a Change..!! :) :)
No comments:
Post a Comment