Posts

Showing posts from May, 2018

RESTful API

Image
RESTful API In this blog post I am going to show how to create a resource server api. First we need to understand how it works. We can use exiting authorization sever or like there you can create your own authorization sever  and resource server both in a single api. Sample code is uploaded to my github  LINK : "     " This is written using node.js. In order to run this on your computer you have to have node.js installed on your comouter. app.js  This app tuns on port 4000. You can give any port number here.There are two endpoints which  I have created in this. One to get the access token which is "/oauth/token" and the other one is to get resources which is "/profile". As resources I have hard-coded one value which is name ("pasan") and this comes as a JSON object model.js (username = test, password = test)   All the functions that handle requests from client are written here. Run ...
Post a Comment
Read more

Cross Site Request Forgery (METHORD 02)

Image
Cross Site Request Forgery (METHOD 02) In last post Cross Site Request Forgery (Method 01) we discussed how to achieve SCRF attack protection using synchronized token pattern method. with this post lets see how to do it using double-submitted cookie pattern  Referring to above diagram, in double-submitted cookies (for the session and for the CSRF token) are stored in the web browser. In previous method we stores CSRF token values on the sever side. here it not the way we do it. Sample website was created and you can find it in my Github  LINK : "    https://github.com/PasanRS/Cross-Site-Request-Forgery-METHORD-02-    " index.php once this page gets loaded on the web browser user sees a simple login form. Username and password are hard-coded in the code. as in previous example too. result.php As you can see two cookies are stored on the browser. These cookies have 1 year expiration time an...
Post a Comment
Read more

Cross Site Request Forgery (METHORD 01)

Image
Introduction to Cross Site Request Forgery Cross-Site Request Forgery ( CSRF ) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.  CSRF  attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request. In this post you can learn  how CSRF can be used to protect your own website by generating Cross-Site Request Forgery Tokens in server side and validating them before respond to any client request.  You can find sample website source code is uploaded to the GitHub and you can download it from there. LINK : "  https://github.com/PasanRS/Cross-Site-Request-Forgery-METHORD-01-   " What does this website do? User logs into the website using his/her credentials (username and password are hardcoded "pasan", "pasan"). Upon the log in a session will be created and the session id w...
Post a Comment
Read more