DEV Community: krishnadaspc The latest articles on DEV Community by krishnadaspc (@pckrishnadas88). https://dev.to/pckrishnadas88 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F335468%2Fd42d8ef5-ce84-4ef1-93ca-c17acdb39c43.jpg DEV Community: krishnadaspc https://dev.to/pckrishnadas88 en How CSRF Token protects your web application krishnadaspc Mon, 20 Sep 2021 08:48:54 +0000 https://dev.to/pckrishnadas88/how-csrf-token-protects-your-web-application-5cad https://dev.to/pckrishnadas88/how-csrf-token-protects-your-web-application-5cad <p>We are going to look how CSRF tokens works in a real node express application and how it protects the app from cross site request forgery. If you would like to see the video version of this post you can watch it here.<br> <a href="https://www.youtube.com/watch?v=l3CC4mPGFmw" rel="noopener noreferrer">Watch video here</a></p> <h1> What is cross site request forgery? </h1> <p>When a web server is receives a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for a hacker to send requests to the web server which will be treated as a genuine request. This can be done via a Form submit, URL, image load, XMLHttpRequest, etc. and can result in data breach or unintended code execution. In this post we are going to explain a form submit kind of attack and how CSRF tokens prevents this.</p> <h2> Code set up </h2> <p>There are two fresh express applications running. One is running on port <code>3000</code> which is <strong>App1</strong> and another is running on port <code>5000</code> which is <strong>App2</strong>. Both of these applications are created using the express generator. </p> <h2> App1 Code snippets </h2> <p>Install the npm <code>csurf</code></p> <p>Enable the csrf middleware for the application in <code>app.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">csrf</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">csurf</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// setup route middlewares</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">(</span><span class="dl">'</span><span class="s1">fsgdesgsdYYFCCXXX</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">csrf</span><span class="p">({</span> <span class="na">cookie</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}))</span> </code></pre> </div> <p>Setting up the routes for the App1. Code from <code>routes/index.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="cm">/* GET home page. */</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">index</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">App1, CSRF Demo</span><span class="dl">"</span><span class="p">,</span> <span class="na">csrfToken</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nf">csrfToken</span><span class="p">()</span> <span class="p">})</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/process</span><span class="dl">'</span><span class="p">,</span> <span class="nf">function </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">csrf is valid, data is being processed</span><span class="dl">'</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>In the above code we are generating the <code>csrfToken</code> and passing it to the view where we load our form with <code>csrfToken: req.csrfToken()</code></p> <p>In the view we use handlebars as our templating engine and csrf token is added as a hidden input field.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;h1&gt;</span>{{title}}<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Welcome to {{title}}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/process"</span> <span class="na">method=</span><span class="s">"POST"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"hidden"</span> <span class="na">name=</span><span class="s">"_csrf"</span> <span class="na">value=</span><span class="s">"{{csrfToken}}"</span><span class="nt">&gt;</span> name: <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"name"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Submit<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>When we start the <strong>App1</strong> we can see a form loaded with the generated csrf token if you check the html view source of the page.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fytq4yloi4sobzs0wc9vg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fytq4yloi4sobzs0wc9vg.png" alt="Alt Text"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5b3jdvrpzk2fuvxb64pj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5b3jdvrpzk2fuvxb64pj.png" alt="Alt Text"></a></p> <p>and submit the form with some data. You can see this result as <code>csrf token</code> is validated and correct.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fharpuqw246qqlinmzilo.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fharpuqw246qqlinmzilo.png" alt="Alt Text"></a></p> <h1> How token protects the app? </h1> <p>Now let's remove the token generation and see how this CSRF middle-ware protects our application. Change the code in <code>app1/routes/index.js</code> like this. Now we pass <code>csrf</code> as an empty string.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="cm">/* GET home page. */</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">index</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">App1, CSRF Demo</span><span class="dl">"</span><span class="p">,</span> <span class="na">csrfToken</span><span class="p">:</span> <span class="dl">''</span> <span class="p">})</span> <span class="p">});</span> </code></pre> </div> <p>Now if you submit the form you will get an error message like this.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu5qxl7k09201q4rjhzv3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu5qxl7k09201q4rjhzv3.png" alt="Alt Text"></a></p> <p>Now server rejects the request as it cannot find a valid token in the request and now we are protected from such kind of attacks.</p> <h1> Attack request from App2 </h1> <p>Now let's mimic an attack from another domain/application. In this example which is <strong>App2</strong></p> <p>For the time being just disable the <code>csrf</code> middleware in <strong>App1</strong>. Comment these lines in <code>app1/app.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app.use(csrf({ cookie: true }))</span> </code></pre> </div> <p>In <strong>App2</strong> home route we also have the same form but the form submit action is the url of <strong>App1</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;h1&gt;</span>{{title}}<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Welcome to {{title}}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"http://localhost:3000/process"</span> <span class="na">method=</span><span class="s">"POST"</span><span class="nt">&gt;</span> name: <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"name"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Submit<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>Start the server <strong>App2</strong> which is running on port 5000. You can see the form but now when you submit the form it is accepted as <strong>App1</strong> currently do not have CSRF middleware enabled.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4de40i6iaq5672hpcpx1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4de40i6iaq5672hpcpx1.png" alt="Alt Text"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F351hne14b1ivpivvi0bx.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F351hne14b1ivpivvi0bx.png" alt="Alt Text"></a></p> <p>Now just re enable our <code>csrf</code> middleware in <strong>App1</strong>. Un comment this line<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">csrf</span><span class="p">({</span> <span class="na">cookie</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}))</span> </code></pre> </div> <p>And now when you submit the form from <strong>App2</strong> you will get this error page only. So we are now protected.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj3deyg1yqeturygr8vhm.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj3deyg1yqeturygr8vhm.png" alt="Alt Text"></a></p> <p>That's how a CSRF token protects in a real application. You can find the full source code here <a href="https://github.com/pcktuts/csrf-demo-express-js" rel="noopener noreferrer">Github Code Link</a></p> <p>You can follow me on my twitter here <a href="https://twitter.com/pckrishnadas88" rel="noopener noreferrer">KrishnadasPC</a></p> node express security