CSRF attack and protection demo in node server.
-
sudo vim /etc/hosts
and add the following content.127.0.0.1 local.host 127.0.0.1 sub.local.host 127.0.0.1 remote.host
-
Install dependencies.
yarn
-
Launch server.
yarn start
You could set cookie with different flags by sending queries.
# No restriction
http://local.host:3333/
# SameSite flag set to 'Lax'
http://local.host:3333/?sameSite=lax
# Enable HostOnly, HttpOnly and SameSite flag.
http://local.host:3333/?hostOnly=1&httpOnly=1&sameSite=Strict
Simulate attack and how to protect.
- Set cookie at
http://local.host:3333/
. - Visit
http://sub.local.host:3333/form
. - Overwrite cookie and submit form to server and respond success is
true
.
Use the following flags to defend:
- HostOnly: Disallow different origin to access cookie. (including subdomain)
- HttpOnly: Prevent JS to access cookie
- Set cookie at
http://local.host:3333/
. - Visit
http://remote.host:3333/link
. - Click link.
- Go check out server console, requests of image and link are sent to server with third party cookie.
Use the following flags to defend:
- SameSite
- None: All requests with third party cookie.
- Lax: Only sync requests with third party cookie.
- Strict: No third party cookie.