Start computing from basic

I have wrote some theoretical background of CSRF and CSRF prevention mechanisms in previous posts. If you don't have much idea about what CSRF and how prevention mechanisms works, please go back and read them first. These are the links for them. Cross Site Request Forgery (CSRF) CSRF Defence - Synchronizer Token Pattern From here onword, I assume you have the basic idea of concept of CSRF attack and prevention mechanisms. So, lets get started. This post is fully practical based one. At them end of this, There will be fully functioning web based application to demonstrate how CSRF attack works and how to prevent it using synchronizer token pattern. So, in order to follow this, you will need to setup your development environment first. These are the technologies I used to develop this demonstration application. Technologies Java 8 Spring Boot Framework Spring Security Maven Bootstrap 4 (Optional, Just for enhance the look and feel) Integrated Development Environmen

This is the third post I write about CSRF protection. If you didn't read first and second posts. Read them first. Let's start! Double Submit Cookie Pattern is another method used to prevent from CSRF Attacks. This is very similar to synchronizer token pattern . The difference is CSRF token will not store in server. Instead of storing in server, It will store as a cookie in browser. Furthermore, token value will be sent in header or body in every request. In nutshell, With this pattern, in each client to server request, client send CSRF token within body/header and as a cookie. In the server, it will check weather body/header and cookie has same value of CSRF token or different. Server will only execute operation only if body/header and cookie values same. This is a sample client to server request with double submit cookie pattern. If you have any queries, questions, suggestions, Please add comment. Thank you

This is the continuation of previous blog post CSRF . If you didn't read it, please read it first because concept of CSRF attack is described there. As I mentioned in earlier post, there are 3 CSRF prevention mechanisms. Synchronizer Token Pattern is one of that. First I will explain how some person log into system and do some work within the system. As the first step, user will log into the system using login screen. That is the place where authentication happen. After giving correct user credentials (Username and Password), System will give the permission to access protected area in the system. Now the system know who is the logged person. But there is a problem. That is because we are using HTTP (Hyper Text Transfer Protocol) in web applications and it is not statefull protocol. So we need to keep maintain state of the logged person in the system. This is the place where cookie comes into play.  😏 (🍪 Not the cookie we eat). Cookie is a small data item stored in the web br

When we using computers, it would be better if we know about security risks also. Therefore today I will consider about computer security problem. I'm writing this post to talk about a common type of cyber attack which named Cross Site Request Forgery (CSRF). Lets talk about what is this CSRF means? This is a kind of attack used by hackers to execute some action that wanted by hacker with the authorization of end user (legitimate user). To make it more clear, I will take some example. This is the story. There are two characters named John and Robert. Both of people have a facebook account and John have some photos uploaded into his facebook account. But that photos can be viewed only by the friends of John. Robert is not a friend of John and so Robert cannot view them. However he needs to view that photos. One option he has is to be a facebook friend of John. But the problem is John does not want to be a facebook friend with Robert. What can robert do? According to the abo