Open in app

Sign in

Write

Sign in

Synchronizer Token Pattern (STP)

Himashi Karunathilake
3 min readOct 11, 2019

In my previous post, I explained what CSRF attacks are. There, we identified Synchronizer Token Pattern as one solution for CSRF and this post will focus on that.

Introduction

Synchronizer Token Pattern is a technique where a token (secret and unique value) is embedded in all HTML forms and verified on the server side.

Characteristics of Synchronizer Token Patterns:

  • Unique per user session
  • Large random value
  • Generated by a cryptographically secure random number generator
  • Add token to the session and check it in the back end
  • Added as a hidden field for forms or within the URL if the state changing operation occur via a GET request
  • Rejects the action if validation fails

Prevention

Generate a random string in the server side and append it to the body of the front end and compare both values when the user submit a web page.

An Example Scenario

The source code of the web application used here: https://github.com/Himashi-Karunathilake/CSRF-Synchronizer-Token-Pattern

Enter User Credentials
Code

This form submits user credentials using POST method as shown above. If the authentication is successful, a unique session ID and the CSRF token will be created in this session. At the same time, the time generated session ID will be set as a cookie in the browser. The CSRF token is stored against the session identifier in the server side.

Token
After Successful Login
Created Token

After the user logs in, the browser will send an Ajax call to get the CSRF token to token_generator.php. This contains the session ID. This is embedded into a hidden field in the form.

After successful login, the user is redirected to a page where they can add a new blog post. When the user clicks on the “Add Post!” button, the server validates the session ID which came from the request header and the CSRF token in the body.

If the token is valid, the server will accept the request and if invalid, the server will ignore the request.

Ignore Request if Token is Invalid

Conclusion

If the attacker sends a link that contains a POST request hidden to add a blog post, the attacker will not be able to add the CSRF token to the attacker’s POST request. Hence, the server will ignore the request. Therefore , this method will work against the CSRF attacks.

Continue Reading:
Cross — Site Request Forgery (CSRF): Cross — Site Request Forgery (CSRF) | by Himashi Karunathilake | Medium
Double Submit Cookie Pattern: Double Submit Cookie Pattern. In one of my previous posts, I… | by Himashi Karunathilake | Medium

This assignment was done as a part of the assignment submission for the 2nd Year — 2nd Semester Web Security (WS) module of Sri Lanka Institute of Information Technology (SLIIT).

Originally published at http://mysnowfrostpersonal.wordpress.com on October 11, 2019.

Cybersecurity
Cyber
Stp
Csrf
Cyber Attacks

--

--

Himashi Karunathilake

Written by Himashi Karunathilake

7 Followers

I am a cybersecurity enthusiast and writer with a passion for demystifying complex topics. Join me as I explore the ever-evolving world of cybersecurity!

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams