RESTful API

Resource Server API

You can use either existing authorization server or your own server.Here, I created an authorization server and resource server both in a single server.This is written using node,js. In order to run this on your computer, you should have node.js installed on your computer.

app.js 

There are two endpoints I have created in this. One to get the access token which is "/oauth/token" and the other one is to get resources which is "/profile". 

model.js

Here I have created a user first (username = thusiya, password = thusiya) and all the functions that handle requests from client are written in this file.

Run

Run this resource server using node,js

First of all We have to make a POST request to get the access token from the authorization server.
For that we have to send the authorization key in the header.

Authorization : Bearer XXXXXXXXXXXXXXX
And also we have to mention the content type in the header.
Content-Type :  application/x-www-form-urlencoded


Then we have to mention these 3 parameters in the body.
username=thusiya
password=thusiya
grant_type=client_credentials

The URL should be the endpoint that gives us the access token.

http://localhost:4000/oauth/token

When we send this we get the response which has access token in it. This access token also have an expiration time.

Then we have to make a GET request to retrieve the resources we need.

Now our URL is different because we have to call a different endpoint to get these resources which is "http://localhost:4000/profile".

Authization: Bearer XXXXXXXXXXXXXXX

When you sent this request you get a response that contains the resources we specified in the code.
{"name":"thusiya","id":"set"} 


You can download source code from my GitHub.

https://github.com/thusith94/RESTful_API

Cross Site Request Forgery - method 02

In this post, I suppose to discuss  how to achieve CSRF attack protection using double-submitted cookie pattern.

Work Flow

In double submitted cookie pattern, there are two cookies(session & CSRF token) stored in the browser.In our previous method, we stored csrf token values on the server side (text file). But here we don't do it.

index.php

The user login to the website using their credentials.Here, I hard coded the user credentials for the testing purposes like this ($uname == 'thusiya' && $pwd == 'thusiya').

result.php

As should be obvious two cookies are put away on the browser. These cookies have 1 year termination time and they are available from anyplace. 


home.php

csrf cookie value and the html hidden field csrf value are sent to the checkToken function as parameters.

 token.php

 If CSRF value is matched, that function will return the true value.

You can download source code from my GitHub.

https://github.com/thusith94/Cookies-Patterns

Cross Site Request Forgery - method 01

What is Cross Site Request Forgery?

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

In this blog entry, I will talk about a strategy that can be utilized to secure your own particular site by producing Cross-Site Request Forgery Tokens in server side and approving them before react to any customer request.

How it's working?

The user login to the website using their credentials.Here, I hard coded the user credentials for the testing purposes like this ($uname == 'thusiya' && $pwd == 'thusiya').Upon the sign in a session will be made and the session id will be utilized to delineate the CSRF token that will be produced along with the session creation.After that user redirects to a website that allows user to update posts.This page will be load with the help of AJAX.Then generated CSRF value will be added to a hidden field in the HTML file.When the user update a post, CSRF token will be validated.Then if it is a valid user, that post can be seen by the user.

Index.php File

Once the form is submitted, then result.php file will be called.

For the validation of the user inputs, Code is like this.AJAX call is used call to the csrf_token_generator.php file and validate the generated CSRF token and put it into the hidden text field inside the HTML file.

csrf_token_generator.php

This php file generates the csrf token. Also it sets a browser cookie with the value of session_id. After that CSRF token value will be stored in a text file called Tokens.txt along with it's session_id.

openssl_randon_pseudo_bytes() is used to generate the 32bit long csrf token.

token.php

this php file has checkToken function which gets  two parameters (csrf token and session id) and return true if the given parameters matches with the values that are stored inside the text file.

Tokens.txt

 home.php

You can download source code from my GitHub.

https://github.com/thusith94/synchronizer_token_pattern-php