Skip to content

Commit fbce179

Browse files
fdanismazfdanismaz
committed
CSRF Attack Simulation
documentation has been done to github wiki
1 parent 47b66b9 commit fbce179

File tree

14 files changed

+381
-0
lines changed

14 files changed

+381
-0
lines changed

csrf-protection/actual-app/pom.xml

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0"
3+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
5+
<parent>
6+
<artifactId>csrf-protection</artifactId>
7+
<groupId>com.fd</groupId>
8+
<version>1.0-SNAPSHOT</version>
9+
</parent>
10+
<modelVersion>4.0.0</modelVersion>
11+
12+
<artifactId>actual-app</artifactId>
13+
14+
<dependencies>
15+
<dependency>
16+
<groupId>org.springframework.boot</groupId>
17+
<artifactId>spring-boot-starter-web</artifactId>
18+
<exclusions>
19+
<exclusion>
20+
<groupId>ch.qos.logback</groupId>
21+
<artifactId>logback-classic</artifactId>
22+
</exclusion>
23+
24+
<exclusion>
25+
<groupId>org.apache.logging.log4j</groupId>
26+
<artifactId>log4j-to-slf4j</artifactId>
27+
</exclusion>
28+
</exclusions>
29+
</dependency>
30+
31+
<dependency>
32+
<groupId>org.springframework.boot</groupId>
33+
<artifactId>spring-boot-starter-security</artifactId>
34+
<exclusions>
35+
<exclusion>
36+
<groupId>ch.qos.logback</groupId>
37+
<artifactId>logback-classic</artifactId>
38+
</exclusion>
39+
40+
<exclusion>
41+
<groupId>org.apache.logging.log4j</groupId>
42+
<artifactId>log4j-to-slf4j</artifactId>
43+
</exclusion>
44+
</exclusions>
45+
</dependency>
46+
47+
<dependency>
48+
<groupId>org.springframework.boot</groupId>
49+
<artifactId>spring-boot-starter-thymeleaf</artifactId>
50+
</dependency>
51+
</dependencies>
52+
53+
</project>

csrf-protection/actual-app/src/main/java/com/fd/tryout/csrf/actual/App.java

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
package com.fd.tryout.csrf.actual;
2+
3+
import org.springframework.boot.SpringApplication;
4+
import org.springframework.boot.autoconfigure.SpringBootApplication;
5+
6+
/**
7+
* @author furkand
8+
* 10/16/2018 3:32 PM
9+
*/
10+
@SpringBootApplication
11+
public class App {
12+
13+
public static void main(String[] args) {
14+
SpringApplication.run(App.class);
15+
}
16+
}

csrf-protection/actual-app/src/main/java/com/fd/tryout/csrf/actual/config/SecurityConfig.java

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
package com.fd.tryout.csrf.actual.config;
2+
3+
import com.fd.tryout.csrf.actual.security.SampleAuthenticationProvider;
4+
import org.springframework.context.annotation.Configuration;
5+
import org.springframework.security.authentication.AuthenticationProvider;
6+
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
7+
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
8+
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
9+
10+
/**
11+
* @author furkand
12+
* 10/16/2018 3:34 PM
13+
*/
14+
@Configuration
15+
public class SecurityConfig extends WebSecurityConfigurerAdapter {
16+
17+
public AuthenticationProvider authenticationProvider() {
18+
return new SampleAuthenticationProvider();
19+
}
20+
21+
@Override
22+
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
23+
auth.authenticationProvider(this.authenticationProvider());
24+
}
25+
26+
@Override
27+
protected void configure(HttpSecurity http) throws Exception {
28+
http.authorizeRequests()
29+
.anyRequest().authenticated()
30+
.and()
31+
.httpBasic();
32+
33+
http.csrf().disable();
34+
}
35+
}

csrf-protection/actual-app/src/main/java/com/fd/tryout/csrf/actual/controller/AccountController.java

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
package com.fd.tryout.csrf.actual.controller;
2+
3+
import org.springframework.stereotype.Controller;
4+
import org.springframework.web.bind.annotation.GetMapping;
5+
import org.springframework.web.bind.annotation.PostMapping;
6+
import org.springframework.web.bind.annotation.RequestMapping;
7+
8+
/**
9+
* @author furkand
10+
* 10/16/2018 3:41 PM
11+
*/
12+
@Controller
13+
@RequestMapping("/account")
14+
public class AccountController {
15+
16+
/**
17+
* This is a representative operation for demonstrating CSRF.
18+
*
19+
* To execute this method, you need to be authenticated. However, anohter site make
20+
* you send request to this handler and you may not be aware of it. You may click
21+
* a button, or an image so you will be the sender. The operation will be executed,
22+
* because this actual application will think you are the sender and you are authenticated.
23+
*
24+
* @return
25+
*/
26+
@GetMapping
27+
public String transferMoney() {
28+
return "account";
29+
}
30+
31+
@PostMapping("/transfer")
32+
public String transfer() {
33+
return "success";
34+
}
35+
}

csrf-protection/actual-app/src/main/java/com/fd/tryout/csrf/actual/security/SampleAuthenticationProvider.java

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
package com.fd.tryout.csrf.actual.security;
2+
3+
import org.springframework.security.authentication.AuthenticationProvider;
4+
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
5+
import org.springframework.security.core.Authentication;
6+
import org.springframework.security.core.AuthenticationException;
7+
8+
import java.util.ArrayList;
9+
10+
/**
11+
* @author furkand
12+
* 10/16/2018 3:37 PM
13+
*/
14+
public class SampleAuthenticationProvider implements AuthenticationProvider {
15+
@Override
16+
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
17+
String username = authentication.getName();
18+
String password = authentication.getCredentials().toString();
19+
20+
if (this.validateCredentials(username, password)) {
21+
return new UsernamePasswordAuthenticationToken(username, password, new ArrayList<>());
22+
}
23+
24+
return null;
25+
}
26+
27+
private boolean validateCredentials(String username, String password) {
28+
return username.equals("johndoe") && password.equals("password");
29+
}
30+
31+
@Override
32+
public boolean supports(Class<?> authentication) {
33+
return authentication.equals(UsernamePasswordAuthenticationToken.class);
34+
}
35+
}

csrf-protection/actual-app/src/main/resources/application.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
server:
2+
port: 9090
3+
4+
logging:
5+
level:
6+
ROOT: INFO
7+
org.spring.framework: ERROR
8+
com.fd: TRACE
9+
pattern:
10+
console: "%-5level %d{yyyy-MM-dd HH:mm:ss} - %msg%n"

csrf-protection/actual-app/src/main/resources/templates/account.html

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
<!DOCTYPE html>
2+
<html xmlns:th="http://www.thymeleaf.org" lang="en">
3+
<head>
4+
<meta charset="UTF-8">
5+
<title>Actual Application</title>
6+
</head>
7+
<body>
8+
9+
<form th:action="@{/account/transfer}" method="post">
10+
<input type="submit" value="Transfer Money">
11+
</form>
12+
13+
</body>
14+
</html>

csrf-protection/actual-app/src/main/resources/templates/success.html

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
<!DOCTYPE html>
2+
<html lang="en">
3+
<head>
4+
<meta charset="UTF-8">
5+
<title>Actual Application</title>
6+
</head>
7+
<body>
8+
Money transfer successfully transacted!
9+
</body>
10+
</html>

csrf-protection/attacker-app/pom.xml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0"
3+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
5+
<parent>
6+
<artifactId>csrf-protection</artifactId>
7+
<groupId>com.fd</groupId>
8+
<version>1.0-SNAPSHOT</version>
9+
</parent>
10+
<modelVersion>4.0.0</modelVersion>
11+
12+
<artifactId>attacker-app</artifactId>
13+
14+
<dependencies>
15+
<dependency>
16+
<groupId>org.springframework.boot</groupId>
17+
<artifactId>spring-boot-starter-web</artifactId>
18+
<exclusions>
19+
<exclusion>
20+
<groupId>ch.qos.logback</groupId>
21+
<artifactId>logback-classic</artifactId>
22+
</exclusion>
23+
24+
<exclusion>
25+
<groupId>org.apache.logging.log4j</groupId>
26+
<artifactId>log4j-to-slf4j</artifactId>
27+
</exclusion>
28+
</exclusions>
29+
</dependency>
30+
31+
<dependency>
32+
<groupId>org.springframework.boot</groupId>
33+
<artifactId>spring-boot-starter-thymeleaf</artifactId>
34+
</dependency>
35+
</dependencies>
36+
</project>

csrf-protection/attacker-app/src/main/java/com/fd/tryout/csrf/attacker/App.java

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
package com.fd.tryout.csrf.attacker;
2+
3+
import org.springframework.boot.SpringApplication;
4+
import org.springframework.boot.autoconfigure.SpringBootApplication;
5+
6+
/**
7+
* @author furkand
8+
* 10/16/2018 3:32 PM
9+
*/
10+
@SpringBootApplication
11+
public class App {
12+
13+
public static void main(String[] args) {
14+
SpringApplication.run(App.class);
15+
}
16+
}

0 commit comments

Comments
 (0)