{"id":123,"date":"2018-05-08T01:47:49","date_gmt":"2018-05-08T01:47:49","guid":{"rendered":"http:\/\/hackerintent.co.nf\/?p=123"},"modified":"2018-05-08T01:47:49","modified_gmt":"2018-05-08T01:47:49","slug":"double-submit-cookie","status":"publish","type":"post","link":"https:\/\/takeondevops.com\/?p=123","title":{"rendered":"CSRF in WebApps | Double Submit Cookie Patterns"},"content":{"rendered":"

In this blogpost we will look at how we can implement Cross-Site Request Forgery protection via Double Submit Cookie Patterns.<\/p>\n

\n

First things first<\/h3>\n

This blog is primarily focused on security. Hence, firstly, I will integrate the OWASP dependency check plugin to my project. With Maven, we blindly add many dependencies\/ 3rd party libraries without checking how secure those dependencies are. This in turn can make the whole application that we are developing a vulnerable application. So it is important that we have OWASP dependency check plugin in place to check for vulnerable dependencies.<\/p>\n

Maven Configurations<\/h3>\n

Here I have added it with a configuration \u2013 apart from generating a report I have instructed OWASP dependency check to fail the Build if a certain vulnerability is greater than or equal to 8. This is because I may not pay attention to the report and just ignore it during the build and in that case if there are any critical vulnerabilities then the build must fail as I must take note of it and remove that version of the vulnerable plugin.<\/p>\n

<plugin>\n    <groupId>org.owasp<\/groupId>\n    <artifactId>dependency-check-maven<\/artifactId>\n    <version>3.1.2<\/version>\n    <configuration>\n        <failBuildOnCVSS>8<\/failBuildOnCVSS>\n    <\/configuration>\n    <executions>\n        <execution>\n            <goals>\n                <goal>check<\/goal>\n            <\/goals>\n        <\/execution>\n    <\/executions>\n<\/plugin><\/pre>\n
Now that all the good practices are out of the way, lets get in to the actual application.<\/p>\n<\/div>\n
Double Submit Cookie Patterns<\/h3>\n
I already covered what CSRF is, how we can mitigate it using one of the methods provided by OWASP. Now I will be talking you through another approach of how we can protect web applications from CSRF. For this purpose, I have used my previous code with a few new changes. I will explain the changes shortly. Now for the burning question – what is double submit cookie patterns? Let us address this question with the help of our previous example (in previous blog). In Synchronizer Token Patterns we set only one cookie in the client side, that is the session cookie. But here we are setting 2 cookies – session cookie and csrf cookie. Hence, I have removed the CSRFTokenObtainer.java<\/code> class from previous example.<\/p>\n
In this example, we set the csrf token value as a hidden value in the form. Here we use a scripting language to access the client side cookie and set its value as a hidden field in the form.
\n
\nAbove is a screenshot of the 2 cookies set on the client side. DBLSesID, helps us identify the user across the web application. The value of CSRFDubSub is appended to the form as a hidden field.<\/p>\n
OWASP’s recommendation<\/h3>\n
In the above example we validate the request to transfer funds contain a CSRF token as well as a session token. Another thing that is prudent in this situation is that we generate cryptographically secure random numbers. OWASP recommends this as follows.<\/p>\n
When a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user’s machine separate from the session id<\/p><\/blockquote>\n
I really wanted bring this to your attention because I have used the java class SecureRandom<\/code> exactly for this reason. I have used this in the last example too. If this was not in place, then hackers can use cryptoanalysis methods to derive or generate these values themselves. Because other random classes are more deterministic.<\/p>\n
Conclusion<\/h3>\n
Double Submit cookie patterns are another way how we can prevent CSRF attacks. I did not add screenshots for each step as in earlier example as this is the same flow. The differences have been stated. In the earlier case(synchronizer token patterns) we had a thick server and a thin client. Here we have a thin server and a thick client. Depending on which is suitable to our requirement of our application, we can select one of the 2 approaches. <\/p>\n","protected":false},"excerpt":{"rendered":"
In this blogpost we will look at how we can implement Cross-Site Request Forgery protection via Double Submit Cookie Patterns. First things first This blog is primarily focused on security. Hence, firstly, I will integrate the OWASP dependency check plugin to my project. With Maven, we blindly add many dependencies\/ 3rd party libraries without checking […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[3,5],"tags":[],"class_list":["post-123","post","type-post","status-publish","format-standard","hentry","category-dev","category-infosec"],"yoast_head":"\nCSRF in WebApps | Double Submit Cookie Patterns - Take On Devops<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/takeondevops.com\/?p=123\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CSRF in WebApps | Double Submit Cookie Patterns - Take On Devops\" \/>\n<meta property=\"og:description\" content=\"In this blogpost we will look at how we can implement Cross-Site Request Forgery protection via Double Submit Cookie Patterns. First things first This blog is primarily focused on security. Hence, firstly, I will integrate the OWASP dependency check plugin to my project. With Maven, we blindly add many dependencies\/ 3rd party libraries without checking […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/takeondevops.com\/?p=123\" \/>\n<meta property=\"og:site_name\" content=\"Take On Devops\" \/>\n<meta property=\"article:published_time\" content=\"2018-05-08T01:47:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/c1.staticflickr.com\/2\/1723\/42813186841_10365a21d9_h.jpg\" \/>\n<meta name=\"author\" content=\"ihsan izwer\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ihsan izwer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=123#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=123\"},\"author\":{\"name\":\"ihsan izwer\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/#\\\/schema\\\/person\\\/465f2fb632235eb4079002754cd66aeb\"},\"headline\":\"CSRF in WebApps | Double Submit Cookie Patterns\",\"datePublished\":\"2018-05-08T01:47:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=123\"},\"wordCount\":612,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=123#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/c1.staticflickr.com\\\/2\\\/1723\\\/42813186841_10365a21d9_h.jpg\",\"articleSection\":[\"Dev\",\"InfoSec\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/takeondevops.com\\\/?p=123#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=123\",\"url\":\"https:\\\/\\\/takeondevops.com\\\/?p=123\",\"name\":\"CSRF in WebApps | Double Submit Cookie Patterns - Take On Devops\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=123#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=123#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/c1.staticflickr.com\\\/2\\\/1723\\\/42813186841_10365a21d9_h.jpg\",\"datePublished\":\"2018-05-08T01:47:49+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/#\\\/schema\\\/person\\\/465f2fb632235eb4079002754cd66aeb\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=123#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/takeondevops.com\\\/?p=123\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=123#primaryimage\",\"url\":\"https:\\\/\\\/c1.staticflickr.com\\\/2\\\/1723\\\/42813186841_10365a21d9_h.jpg\",\"contentUrl\":\"https:\\\/\\\/c1.staticflickr.com\\\/2\\\/1723\\\/42813186841_10365a21d9_h.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=123#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/takeondevops.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CSRF in WebApps | Double Submit Cookie Patterns\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/#website\",\"url\":\"https:\\\/\\\/takeondevops.com\\\/\",\"name\":\"Take On Devops\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/takeondevops.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/#\\\/schema\\\/person\\\/465f2fb632235eb4079002754cd66aeb\",\"name\":\"ihsan izwer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c82c3d13c92d77259746074978cb7d498778b44914dea60ad0367dec237c349f?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c82c3d13c92d77259746074978cb7d498778b44914dea60ad0367dec237c349f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c82c3d13c92d77259746074978cb7d498778b44914dea60ad0367dec237c349f?s=96&d=mm&r=g\",\"caption\":\"ihsan izwer\"},\"url\":\"https:\\\/\\\/takeondevops.com\\\/?author=3\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CSRF in WebApps | Double Submit Cookie Patterns - Take On Devops","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/takeondevops.com\/?p=123","og_locale":"en_US","og_type":"article","og_title":"CSRF in WebApps | Double Submit Cookie Patterns - Take On Devops","og_description":"In this blogpost we will look at how we can implement Cross-Site Request Forgery protection via Double Submit Cookie Patterns. First things first This blog is primarily focused on security. Hence, firstly, I will integrate the OWASP dependency check plugin to my project. With Maven, we blindly add many dependencies\/ 3rd party libraries without checking […]","og_url":"https:\/\/takeondevops.com\/?p=123","og_site_name":"Take On Devops","article_published_time":"2018-05-08T01:47:49+00:00","og_image":[{"url":"https:\/\/c1.staticflickr.com\/2\/1723\/42813186841_10365a21d9_h.jpg","type":"","width":"","height":""}],"author":"ihsan izwer","twitter_card":"summary_large_image","twitter_misc":{"Written by":"ihsan izwer","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/takeondevops.com\/?p=123#article","isPartOf":{"@id":"https:\/\/takeondevops.com\/?p=123"},"author":{"name":"ihsan izwer","@id":"https:\/\/takeondevops.com\/#\/schema\/person\/465f2fb632235eb4079002754cd66aeb"},"headline":"CSRF in WebApps | Double Submit Cookie Patterns","datePublished":"2018-05-08T01:47:49+00:00","mainEntityOfPage":{"@id":"https:\/\/takeondevops.com\/?p=123"},"wordCount":612,"commentCount":0,"image":{"@id":"https:\/\/takeondevops.com\/?p=123#primaryimage"},"thumbnailUrl":"https:\/\/c1.staticflickr.com\/2\/1723\/42813186841_10365a21d9_h.jpg","articleSection":["Dev","InfoSec"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/takeondevops.com\/?p=123#respond"]}]},{"@type":"WebPage","@id":"https:\/\/takeondevops.com\/?p=123","url":"https:\/\/takeondevops.com\/?p=123","name":"CSRF in WebApps | Double Submit Cookie Patterns - Take On Devops","isPartOf":{"@id":"https:\/\/takeondevops.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/takeondevops.com\/?p=123#primaryimage"},"image":{"@id":"https:\/\/takeondevops.com\/?p=123#primaryimage"},"thumbnailUrl":"https:\/\/c1.staticflickr.com\/2\/1723\/42813186841_10365a21d9_h.jpg","datePublished":"2018-05-08T01:47:49+00:00","author":{"@id":"https:\/\/takeondevops.com\/#\/schema\/person\/465f2fb632235eb4079002754cd66aeb"},"breadcrumb":{"@id":"https:\/\/takeondevops.com\/?p=123#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/takeondevops.com\/?p=123"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/takeondevops.com\/?p=123#primaryimage","url":"https:\/\/c1.staticflickr.com\/2\/1723\/42813186841_10365a21d9_h.jpg","contentUrl":"https:\/\/c1.staticflickr.com\/2\/1723\/42813186841_10365a21d9_h.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/takeondevops.com\/?p=123#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/takeondevops.com\/"},{"@type":"ListItem","position":2,"name":"CSRF in WebApps | Double Submit Cookie Patterns"}]},{"@type":"WebSite","@id":"https:\/\/takeondevops.com\/#website","url":"https:\/\/takeondevops.com\/","name":"Take On Devops","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/takeondevops.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/takeondevops.com\/#\/schema\/person\/465f2fb632235eb4079002754cd66aeb","name":"ihsan izwer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/c82c3d13c92d77259746074978cb7d498778b44914dea60ad0367dec237c349f?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/c82c3d13c92d77259746074978cb7d498778b44914dea60ad0367dec237c349f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c82c3d13c92d77259746074978cb7d498778b44914dea60ad0367dec237c349f?s=96&d=mm&r=g","caption":"ihsan izwer"},"url":"https:\/\/takeondevops.com\/?author=3"}]}},"jetpack_featured_media_url":"","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/takeondevops.com\/index.php?rest_route=\/wp\/v2\/posts\/123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/takeondevops.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/takeondevops.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/takeondevops.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/takeondevops.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=123"}],"version-history":[{"count":0,"href":"https:\/\/takeondevops.com\/index.php?rest_route=\/wp\/v2\/posts\/123\/revisions"}],"wp:attachment":[{"href":"https:\/\/takeondevops.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/takeondevops.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/takeondevops.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}