Monday, May 21, 2018

Double Submit Cookies Patterns


Before we begin to learn what a Double submit cookie pattern is , lets learn what a double submit cookies is. A definition that we could use is that  is sending a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match. 

When a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session id. The site does not have to save this value in any way, thus avoiding server side state. The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value he wants with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie. Since the cookie value and the request parameter or form value must be the same, the attacker will be unable to successfully force the submission of a request with the random CSRF value.



Following can be used if you require to have additional defenses to strengthen double submit cooki patters

  • HTTP Strict Transport Security (HSTS)
  • Cookie Prefixes ("__HOST-" the one you want)
  • Sign cookie to user
  • Use custom HTTP header to send request token


This is how we can do double submit cookie





using java-script we can load csrf token into form filed with hidden values. also in here we also check user submissions in back end,whenever user request a page he/she gets a totally random value, so he/she cant predict it and perform exploitation againts legitimate users







And remember to set cookie domain,this prevent from reading cookie value from another address rather than you mentioned one












No comments:

Post a Comment

Test Images

Below images  are being used for the   Hashtag Generator and Content Authenticator research .