Secure Software Systems

Have you ever wondered how the "Login with Facebook" or "Login with Google" mechanism is implemented when you are signing up for a new account in different web platforms? Well this is how it's done! First of all lets understand the process and the framework of how this mechanism works. OAuth 2.0 Framework This framework acts as an intermediate in carrying out the tag an key exchange process between the 3rd party app that requires certain user details and the the HTTP service such as Facebook. This is an open standard framework strongly supported by Facebook and Google from the start. It gained popularity fast and by today it is widely adopted and supported by many web services such as Amazon, Facebook, Instagram, LinkedIn, Microsoft, Netflix, Paypal and many more. How it works! img: 1.1 Go through the img: 1.1 and you'll get a basic understanding on how this works. img:1.2 Lets Get Technical! To give your application the ability t...

What is CSRF - Cross Site Request Forgery  When an unwanted action is forced to perform on a trusted site which the user is currently authenticated to , it's called a CSRF. What is a double submit cookie pattern and how it works Basically, there are are two patterns for stopping CSRF attacks: Double-Submit Cookie and Synchronizer Token. Lets see how Double Submit Cookie Pattern works! It works like this. If a view is protected against CSRF, when the view responds to any petition whose request method is “unsafe”, e.g. POST , PUT , and DELETE , it requires a csrfmiddlewaretoken to be passed in the request payload. It checks the value of this token against the csrftoken , a cookie which is also passed along with the request. If they don’t have the same value, the request is rejected. The key here is that the browser passes two tokens in the request which must have the same value. The csrfmiddlewaretoken , in the request body, and the csrftoken in the c...

The number of cyber attacks increase enormously each day. Therefore security is a must. If you web application is not protected, it might be vulnerable to CSRF or Cross Site Request Forgery. What is Cross Site Request Forgery? When an unwanted action is forced to perform on a trusted site which the user is currently authenticated to , it's called a CSRF. How to protect from CSRF. To apply this protection against a CSRF scenario, we should have a web application. Suppose we have the server side and the client side of the web app as server.php and index.php in order. First of all we sould create a session in the client side and set a cookie to store the session id. The cookie will be used for validating the token when we go along the process. Now when we run the client side, we get a session for the user and the ID will be saved under the sessionID variable. Now all we want is a CSRF Token. this should be saved in the server side of the web application. ...