#4 How to protect your website from CSRF attack? | write a custom login form |Spring Security Basics

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Applause] hey there everyone welcome back to another episode of selenium express and in this series of videos we are talking about spring security and maybe this is gonna be the episode number four where we are again going to talk about lot of different fundamentals related to spring security i hope that you guys are doing practice you guys are learning so much and feel free to ping me message me whenever you are getting stuck with your issues and errors and keep me posted with all your issues so that i can help okay in this particular session we will be talking about uh custom login form how can we create our own login form uh i mean till now we are basically using spring's default login form so i'll be telling you like you know how you can create your own custom sign-in form how can you populate different kind of error messages in your custom login form i'm going to tell you how to secure specific endpoints in your application and also in this video i'm going to talk about another very important thing called cross site request forgery i'm going to talk about what it is what is called csrf or c surf uh what is the csr filter how how basically the hacker can attack your website or attack you how basically a cross site request for jury can made and i'm going to give you a live demo i'm going to let you know like okay this is how an online first day can made and this is how you can protect your website you can protect your customers protect your client and protect yourself as a developer a lot of good things will be seeing so i'm gonna basically split this particular videos in two different parts in first one hour i'm gonna specifically talk about different foundational concept of spring security and the next one hour or fifteen minutes i'm gonna talk about sea surf protection or uh cross site request for jury what it is and different aspect i'm gonna cover right there so don't try to watch it i mean watch this particular video in one go what i'm gonna suggest you that take some time feel free feel comfortable then you know sit down relax start coding you know step by step uh proceed and don't try to you know watch everything in one go take your time practice everything watch step by step and practice step by step that's gonna help you a lot well let's start with this particular video and i'll see you in the other side [Music] so last time i think we have overwritten the configure method okay and right here we have to we have to proceed from here right so i am inside my security where i am i'm inside my security config class and in this class right now i'm creating this particular method to configure users and as you can see i have one user called ior his password is something and the role is something he's an admin and also here we are setting off the http security that means you know how our http request will be handled so right now every request we are handling as you can see http authorized request any request so for every request we are doing an authentication that's why we're writing authorized request any request authenticated right that means authenticated every request and uh for that we can use a form login or we can use a basic http basic login okay now for if you are hitting uh the url from a browser a form will be shown and if you are using any rest client like postman or sop ui obviously you will be doing a basic authentication okay so yeah so these two things spring security can sorry spring ours our back end can understand that okay from where uh the call is coming either the call is coming from a browser if the call is coming from a browser then obviously he will see a form login and if the call is coming from post main or through some you know client like java or something else then obviously the basic authentication will come into the picture okay so this method tell me how many of you understand okay don't try to remember the methods name the method name can come with a flow only right you can you can copy paste this one that's not a problem but it's pretty simple http authorized request any request authenticated so any request coming authenticated then end this end just to add one more phrase in html you right now or in xml you write like this right then you started writing something id equal to something then name equal to something then then you just do what you close this right so close you have to use this one so that you can start a new phrase just like this for closing this this stuff we are using end okay and after end we can start writing the other thing and once that is over we can write in and we can start writing the other things so i mean we will do a lot of hands-on and we'll be using frequently we'll be understanding that that's not a problem but tell me looking into this right now are you guys comfortable i mean what i have written inside the configure method yeah okay so now let's go with the next requirement and uh we'll be doing a i mean a lot of changes here i mean just keep keep practicing and it will be clear for you guys so let's uh start doing some require let's start creating some requirement and let's start implementing them i don't want to go into so much internal right now but yeah let's go with the basics and slowly will progress and let me try to deploy this application in the server so let me do ok and after that i'm going to hit the request let me see whether things are working fine then we'll just start working on some new requirement okay i got my form login here so right now let's say copy this one from here let me go to safari let me open a private window and maybe i can paste that right here enter there you go and can i write uh your ir one two three is my username and password and right here uh you know i can write hello or hello world things like that i think i have a few endpoints hello if i remember it correctly one is hello world maybe w caps hello world yep spring security rocks and one more we had is by so if i will go ahead and hit this buy so bye bye guys right so i got three urls so let's try to secure them okay let me go to that controller if i have it where is that controller uh controller is here let me go to uh this controller okay let's do let's have a simple requirement right now let's not complicate the things uh there you go and this is my config file and this is my controller right so let me write some let me say that okay right now we have this endpoint hello world there is the endpoint called hello and there is an endpoint called buy okay now i'm gonna give you a requirement the requirement is just like this you don't have to secure the hello world don't secure this you don't have to secure the hello okay you secure the hello secure it and you secure the buy secure it okay so now the thing that i want to do so these three endpoints i want to secure only one okay i want sorry i want to secure two of them hello and bye but i don't want to secure hello world whenever someone is hitting hello world i don't want to show him the login form now if you are going to see here right now can i do a log log out enter log out i'm logged out so right now if i'm gonna hit hello world okay now i'm getting this login form right so it is automatically redirecting me to slash login i don't want it okay so when anyone is going to hear this last login he he will bypass this particular form we will show him the resource we will only secure the end point which is let's say slash hello and slash buy let's say someone is hitting slash hello now this is fine okay you can show him the form if someone hit someone is hitting slash buy then also you can show him the login form but when someone is hitting slash hello world don't authenticate it okay the requirement is pretty simple now you don't have to show him the sign-in form okay so let's do one thing so right now how many urls we have to secure this url we have to secure in this url we have to secure okay so right now what we are trying to say here can i increase the font okay you guys can see this part or you want me to collapse this one is it okay if i'll open tabs like this or you are getting confused i mean this is just for you know i want to indicate there are three urls and we'll be doing some more easier it's easy to understand this looks better perfect so now first of all we have to secure this okay right now what we are trying to say here http authorized request any request authenticated so now we are saying any request authenticated no i don't want to authenticate any request okay i want to authenticate by using a ant matcher okay this one i can use to match a pattern now which one i need to authenticate slash hello right copy this paste it okay and say that dude you are authenticated okay so anyone is trying to hit slash hello we have written this authenticated that means he has to be authenticated to access this url the next one let's say we have one more right and measures can i do dot and matches and again one more pattern i have to put it right here sorry guys i messed it up bye okay there you go and this buy one also we need to authenticate so i'll say authenticated there you go right so the buy if someone is hitting he has to be authenticated hello someone is hitting he has to be authenticated and let's say someone is hitting the other one okay right now if you are doing and matches if someone is hitting this url slash hello world then we don't have to authenticate him so i can directly say dot permit okay so anyone is hitting slash hello world permit everyone so no one need to you know i mean no one need to authenticate to access this hello world page so everyone for everyone just make this particular page available without authenticating him but for this and this make him authenticated let's see whether it is working or not let me hit command s my server will kick in the changes then we'll go to our web browser and let me start hitting slash hello world don't say me that i'm gonna get a login page no i'm not going to get any login page because right now you can see to see this endpoint slash hello world i don't have to log in and i can see the page right here okay so what about the other endpoint that i have i buy and hello if i'm gonna access them then i have to be authenticated so let me go back and let me hit buy there you go you get a login screen and you have to you enter your username and password let's say hello there you go again you get a login screen because we have secured this endpoint and everyone has to be authenticated before they need to login okay so now here i can enter my username and password enter and there you go right i'm able to login so now this is what i'm trying to say that okay you can use this method dot authenticated dot authenticated to authenticate an user by showing him a login form by doing a form login or by a basic authentication if someone is going to hit from any client obviously he has to do a basic authentication else if someone is hitting from a browser we will show him the i mean a login form the way we are showing him now tell me guys with this thing you are clear maybe 50 60 percent are clear or not is making sense or not sir is it same means yes we are using in xml yes he is authenticated also one one more thing same thing only same thing only and this is i mean now this is only one thing only we are doing okay and we can also make it more specific like this hello can only be accessed by the admin not by the user let's say i have two users one is the lib and one is moyu okay let's say moyu is an admin okay and moyu is a new user and dilip is only an user okay then the leap cannot access this particular page because this endpoint is only be specific for the admin okay so only admin can access slash hello i can also give request for i mean access for that so i can say dot hedge role okay you can see i have a method called hedgerow and here i'm saying no this io is an admin so if i want only ayur or or anybody who has the admin access to handle this url or to access this url i can give here the role called admin okay but i will get into get back to this later how to specifically you know give access to this particular url to a user or admin or it to somebody who has a specific uh you know what we said that uh role will be coming back to that but right now i'm just using authenticated okay uh yeah and the same thing we can also do it in the xml and uh maybe once we completely do all these things we'll do one thing we'll create a spring mbc project uh security project with xml i mean at that time i won't be explaining things because you already understood right here how to write code what are these methods what are the classes i'll be explaining a little more but after that we'll create one project in um xml uh sorry what this project will be converting it to xml we'll see that how to use all those tags the tags that you are sending me right now on chat same same thing like that we can also create it but yeah it's always good to learn stuff xml stuff boot stop you don't know right uh what is going to come in your way so yeah so that's why i always said don't just keep anything okay don't skip like okay so go to let's go to springboot let's go to xml or let's go to java configuration you have to learn everything and concept is same everywhere we just need to implement yeah uh this thing uh how much comfortable you guys are right now look into this code and tell me i mean is it making sense right now this many calls just look into this i'm not telling you to type it in just understanding why it's looking into this code are you guys understanding like what i'm trying to do inside this particular configuration file yes okay okay don't worry we will be going in depth don't worry but let's make the big clear one thing i wanted to ask does ant matches take a [Music] nah what do you say array yes we we can we can specify that you can see it is a varax oh no good question so you can see right now if i'll do control space we have a borax right here string and pattern that means we can specify multiple patterns just right here hello i can actually do slash hi this is also going to work this particular method can handle array you are correct because right now the method signature if you are going to see it is barak's right so bhararas can take any number of arguments and will convert that to an array internally right yeah okay so if it is making sense right now let's go ahead and do some other thing there are still a lot of things what you are thinking you are clear but still i will be explaining these things pretty well uh but before that let me do some other work and before we go further okay can we create one more user okay let's say right now we got one user called iowa so his password is this his role is this can i make this password shorter okay it's a big crypt one we are using isn't it that's fine so let's do one thing this password is either one two three so now this is one user we have can we create one more user maybe i will create one more user with maybe end okay and i'll create one more user with user and this time let me create one more user called karthik and the karthik password is dot password and let's say he you know i mean his password we need to obviously generate as a big crypt uh calculator so b crypt calculator can can we use id no i just put because already we have done big crypt we can use no there that's not a problem karthik let's say karthik 123 okay let me copy that let me go there password so here i can paste the password before that i can give or let me go with the crypt only because this is a big create password and then rolls uh so i said dot role so i said whenever we'll be creating user will be needing let me make him a user okay so you can write anything right here it's not like an i'm writing user means you are also going to write user so it can be small later capital letter this is just like you know you will be creating the roles right so inside role you can write anything you can write teacher student any kind of role you want to create okay there is no hard and fast rule here that you have to write like that or things like that okay so now i got two user iodine karthik um password also let me write it down otherwise i'll forget maybe after some time so maybe i can write the password like your one two three and for him karthik one two three okay let me do ctrl s and let me go and check uh once with uh karthik user and let me see whether the things are working or not and after that we can go to some other we can do some other stuff and right now can i do a refresh can i try to log in with karthik one two three sign in boom i'm logged in can i go to hello there we go so he is logged in with karthik and i can also do log out and i can also log in with ior in perfect i'm also logged in so i can say hello there you go perfect so so this uh this is a very simple code guys you know i don't think you know we will spend much time explaining about this thing i mean people just end it with five with five minutes right but anyhow we have taken around one or two sessions to cover all these things and i think we are good so right now let me go with a different requirement okay so now just see uh see here let's try to do something funny and that will be more interesting so let's try to do this let's right now see whenever we are trying to access any url let's say we are trying to access hello world now this is the login form given by spring isn't it but let's say someone is telling you to secure a particular endpoint obviously you'll be needing your own login base isn't it you will be needing your custom login page you don't need to use this particular page because this is spring default page let's say i want to put my logo here selenium express logo here or your company logo here you want to style it a little more okay you want to instead of saying username you can say email okay instead of saying password i want to say pass instead of saying sign in i want to say login this button also i want to change then for that we need to create a custom login form right so now these login form given by spring by default so to create a custom login form we can create our own login form and we can make it use you can make it an action and we can use our login form to login and to log out also okay so we can create our own login form so to do that what i will be doing right now let me close this page and i i don't want to use this one so maybe i can go to source main web app webinar view here i got hello world.jsp maybe i can create one more jsp here so let me go ahead and write jsp and this time i'll be creating one file called let's say login dot jsp you can write anything right here i mean there is no rule that it should be login.jsp and i can say here login so imagine like this is my custom page i'm building and the body inside the body i will be creating a login form okay so to create a login form here i'll be using spring mbc form tag now you can ask me that hey will ask can i i don't want to use spring mbc form tag okay then can i can i create a login form using spring uh i mean to to use that with spring security the answer is of course yes but i'll be telling you why i'm using bring mbc form tag here but anyhow to use spring mbc form tag i'll be needing spring mbc form tag i'll be needing the tag library so i will be copy pasting it because you know how good i am with with my spelling and i don't want to do any typo so let me go back to eclipse what is that okay there you go and i'll just put the tag lib just right here so right now the prefix is form so i can write form colon input from column form things like that and this is the uri okay so just do copy paste you know if you don't want to type it or if you don't want to make any typo so right here inside the body i can give a h1 tag i can say my custom login page okay and right here i can do one thing i can create a form right so i can write form colon form colon form i can create one form right here and inside this form i'll be creating couple of text boxes one is to enter username one it one one is to enter password so i can write input you can also write form input but i am going with input type equal to text then placeholder or i can just give username right here okay and let me collapse this and uh the name right the name make sure the name is going to be uh username okay you have to make sure you are writing exactly same as like this username why can you change it yes you can but why i'm writing username i'm gonna tell you in a minute okay and again password and here i'm gonna say input uh maybe type equal to password okay and the name okay the name for this particular field is going to be password only exactly like this password right uh so this is the spring nbc defaults you have to take the name as username and name as password you can change it but we will be going to that later okay so now there you go i got two filled maybe i can write a br right here and maybe i can have one more button here so i can write input type equal to submit and value equal to let's say login or something okay control s so now this is my new login page isn't it so let me do control s so right now how this particular page is going to be called obviously we will be creating a controller maybe i can create a login controller right now new class and maybe i can create a login controller okay and let me do finish maybe you quickly let me create a simple do i have any other controllers we we have controller but i have this controller yeah i just want to create a controller for login specifically so i just created a new controller here login controller okay inside that i can do what first of all i can mark it as a controller and it is a get mapping and let's say my custom login there you go and here i'm gonna in here i'm gonna return login okay so now what i want here i want to use the login page okay so basically let's do one more thing i will go to the security initializer not initializer security config right here let me add one more url let me do copy okay just for now i'll be telling you and here i will say what is that url that i have created my custom login copy that come here say my custom login and say for me top i want to give access to this particular url and nobody need to login to see the login form obviously no need no nobody need to log in to see the login form so whenever somebody is going to hear this url i want to show him that that particular form that i have created now let's see what is going to happen if i'm going to hit that url so now what i want is i want to show this particular url i mean my custom login url because my custom login url is going to return login page which is basically this one that i have created right now and i don't want to show the user the custom login page that spring sorry the springs login page that this one right so now if i am going to hear something let's say hello enter now you see i'm againsting that particular page i don't want to see that right so can i access my url my custom login enter there you go i'm able to see my login page but this login page maybe i can give a break there may be a break after the before the button ctrl s this button i want to drag it to here refresh there you go so here what i want when somebody is going to access any of the url here let's say is class hello right instead of this one i want to show him that page so how we are going to do it right now to do that what we can do we can go to here we have a login controller this is our login uh you know url so we can go to the config file okay the security config and here we are doing a form login right so here we need to tell spring that hey spring don't use the normal form login use the login url maybe login login page yeah use the login page the login page is going to be this guy isn't it uh my custom login okay uh and also make sure i i don't want to do this okay this one this one is just to show you because if i i would not have write this particular line what would have happened that you know to access this login page we we have to login because if if i'll not write permit all by default that will be secured right um maybe i can remove that in this case it will not be secured because anyhow i'm specifically authenticating the urls right here so maybe if i'll not write this also that there won't be any impact but yeah let me remove it now let me do control s now i'm just giving a login page to here to my login to my form login so whenever i'm going to show a form login the login page is going to be this one so let me run the code and let me uh what is happening right now so i'll be going here and here again i'm gonna say let's say slash hello enter there you go right now our custom page is in action right we are getting our custom page so let me go to another url which is not secure maybe i can go for hello world and here obviously we do not have any security can i go for slash uh what we say that uh hello there we go we are having this one bye i think by is also going to ask me to log to login enter there you go i'm i'm redirected to the login page perfect right now let me use one user let me say karthik or thick one two three enter so it's saying bye bye guys right so i'm i'm actually you know inside here can i use uh slash hello so it's saying hello from selenium express right that's it so it's working so what i did is i have just created one url in my code class my custom login and for this my custom login i'm returning a login page and my login page is just right here making sense so far what i am trying to achieve here yes i have one question how spring is mapping this username and password to default login it means we are not using model attribute we are not using model attribute we are not using form action why you are not asking me that correct question so basically the question here is whenever let's say right now if i do log out it will not work see because right now spring is saying okay you are taking over no you are creating your own username i mean one own login page i mean everything you are taking control right so you have to create this particular url slash logout you have to you have to activate it i mean you are overriding the things means you have to take complete control okay so now if i'll do one thing anyhow i cannot i don't have any log out option i can close it i can create a new incognito window because there will be a new session there can i hit it again enter okay i'm getting this one right now the question is whenever i'm entering something whenever i'm entering something and whenever i'm doing login okay then obviously this form will be processed isn't it what is that processing you are what is the action i'm not writing any action for this form do i have any action here no i don't i have not written any action so what is going to be the action okay and one more thing what is going to be the method for this okay let me tell you you don't have to use this action you don't have to use any model attribute to carry the data to the next page all these things will be happened by default by spring why we will understand later but the thing is that it will be happening automatically now one thing method is going to be always post you have to make sure that because these data should always go with the post method only that's the spring security recommends and the action here what what can i write any action like uh slash process log or process login and things like that okay can i write something just like this process login okay now what will happen let me let me do one thing i can go to google chrome i can refresh it can i say right now karthik and password for karthik is let's say take one two three login now i am there at process login okay so now it is navigating me to the process login okay so can i look for hello is it going to work no it's not working now see now the things changed right so this is the custom login whenever you try to log in it is going to process login that's how the action works right whenever you do a submit obviously it will go to the action right now the form action is what whenever you are going to submit this particular form you have to take the user to this url process login now for this url we have to go ahead and we have to create a url inside the controller and we have to handle it and that's how we have worked till now with our spring mvc or with springboard whatever the course that you have attended but right now the thing is that you really don't have to write a handout a handler mapping or a handler method to handle this url that can be happen automatically you just need to tell spring that what is your action previously i have not given given any action okay so the default value was taken right now if i want to say spring that hey my login form this is my login form and the action is this and the action value is this so you have to do copy this here you have to go to the login con sorry my security configuration and here to the form login you will say okay my login page is this and my processing url okay login processing url is this command v process login give it a slash command s right there you go now it will work now let's see you have to make sure that whenever you are giving process login you have to be stay consistent in your application is process login here means in that form also it is going to be process login okay so now let's see what is going to happen if i'll go to my google chrome again let me do a refresh so i'm i'm here inside my my custom login can i try with the slash hello it should redirect me to the custom login form you can see it is redirecting me to the my custom login now let me try with karthik again karthik karthik one two three have i written it correctly thick one two three enter there you go now it's working right and i'm redirected to the hello page can i write by you can see i'm also able to access this space so right now the login is working fine okay you can take this maybe you can go to google safari private window enter login page now just log in with io enter there you go logged in now you just need to you know understand this one this action can be anything you can write anything right here but you have to whatever you are writing that url you don't have to handle you don't have to create any other handler method for that inside your controller rather you can go to your config file and you just need to mention the process login url right show making sense so far sir by default in our form method method should be gate no if you are not writing that method then how it should be post okay all right so basically i'm gonna give you a little more description about this particular question later but let me tell you that if you are not going to use this action here okay if let's say if i'm not going to use this action then what is going to happen what is going to be the default url that this form data is going to be submitted to so if you ever have doubts like this what you can do you can go back to you can go back to your screen and here you can see my login page url is last my custom login this is the setup configuration that we have done so far forget about this part imagine like you know if we'll not write this particular part okay it will not write a login processing url and we only have a login page which is my custom login page which is this one in your case called login.jsp so right now here in the form we don't have any action selected so in that case this particular form will be submitted to that specific url to this specific url called slash my custom login so the way you can make sure about it basically you can load your login page and do a right click click on inspect now you can see here in the form look at the url the url is last my custom login this is the action for your form all right so right now remember that we have not given any form action right here the form action is not here so by default our login url is last my custom login so to this url only the you know this url only is my action right now so i have this action automatically generated right that's called slash my custom login now imagine i got this login processing url which is called slash process login if you'll go back to here and if you're gonna have the action as process login now if i do refresh and if i'll wait till my server reload the changes you will see that if i will go back to here now look at the action that i have which is slash my custom login reload the page you will see that the action changes to process login so it's all up to you right now you want to give a action explicitly by providing the login processing url or you don't want to so the next thing once this one is done and also one more thing i have told you that this will be username this will be password okay if you are writing anything else let's say name i've just given one e right now actually the name could be anything but if you are not writing the name i mean as for spring security standard then you will see what will happen if i'll go back to the google google chrome if i'll do a refresh and now if i'm gonna write karthik and uh maybe um cart thick one two three enter now see it's not working it's giving me an error page there is another one more thing whenever we are getting error whenever we are entering invalid username and password uh so it is throwing me this this particular url see my custom url but in parameter error okay so it is not displaying any messages right here because we have to is our page we have to display the message so one thing you have to understand that whenever you are using spring security defaults it should be username because by the help of this username password ring security basically creates something it it basically gives you a you know c c-ser for csrf protection okay so whenever basically right now if you're going to see whenever you are going to enter this particular page i mean whenever you are loading this particular page if you having to do a viewpage source now see one thing this is your form that you have created right the form started here okay and now you can see there is a another input field this input field we have not written this one right in our code this field this hidden field we have not created we have created this username this is our code password this is our code but this code is not ours right so who has created it now spring security has created this okay this failed for you and this is appeared called csof or csrf basically stands for cross site request forgery and basically it is for your protection so by default whenever you are creating a login form just like this you don't have to write manual code for csrf protection the protection already has been given by spring to you okay and and basically this code is going to the server side and spring is validating this particular value and accordingly it will be helping you to login or you know it will be denying your request if you are not writing this thing username and password or things like that you can write anything that's fine but you have to take care the csrf stop you have to generate one id by yourself right here if you are not going to write this thing exactly same as this i'm going to come back to that that how you will be creating your own csrf token but what is this csrf token i think i have told you guys in the morning best if anybody attended can you guys tell me what is this csrf anybody attended the morning best maybe one two months back i have discussed this why do we need see surf protection or csiro protection in drop silent i'm gonna catch you guys i don't remember exactly you have experience yes yes so um to avoid junk mails or something like that all right so right now uh let's start talking about a cross site request for sorry well uh basically before i give you a live demo and the live demo part is basically attached with the attached with this particular video from a one hour five minutes or something you can start watching and that's when i'm gonna give you a live demo uh you can find the exact timestamp here but for now you just understand csrf or cross site request for jury is kind of an online forgery spring is giving protection to you by default and basically spring is generating a a cross site request for jury token or a csrf token by default and that token is gonna be generated by the server and will be validated by the server with each request and response so i mean you just have this kind of fundamental for now and again i'm gonna i'm gonna let you know everything about csrf uh i mean let's not break the flow i'm gonna talk about it in the end of the video you can go to this specific time stamp and explore csrf just try to understand try to fill it okay this is this is what csrf is this is how a attack can be made everything will be understanding but in the end of the video right i mean from one hour some particular minute you can start watching but right now just understand is the kind of firstery okay that can happen uh to you and spring is by default protecting you hopefully it's clear now let's understand some other thing and in the end we will be obviously talking about csrf a lot and i'll be telling more about it don't worry but this is called csr protection for this we have actually we have just used spring mbc form tag here if you are using spring mbc form tag then this particular field will be auto generated for you and i mean c serve protection will be taken care by spring but what if you know i don't want to use form tag here yes you can use also normal form but if you'll be using normal form the things will not work okay at that time you have to do something right here you have to create the c surf protection you have to turn on the csr protection by yourself you have to generate that token that token by yourself and how to do that maybe i'll be telling you next time okay but right now let's go with uh form form tag only because spring will be taking care of all these things okay so uh it's already 7 29 okay i can do one more thing if you'll allow me uh basically two things are pending okay if you see here now we have a custom login form now let's say someone is hitting karthik karthik 123 enter process login what happened process login control s can i go there yes questions no okay i'm logged in so guys we are on the same page till now you want me to stop or you guys are okay if i'll teach for another 10 minutes i'm fine we can continue yeah i just want to hear from everyone uh make sure that you are not getting bored by hearing this uh i mean just confirm me okay so just just 10 minutes more let's do one thing i can see some problem here now how can a user will be log out okay now there is no logout link and one more thing can i copy this url close it because we do not have any choice to log out maybe we can create a new incognito window enter it and maybe we can try to access our login now imagine someone is giving the wrong username wrong password trying to login now see we are not getting any error messages right but we are getting this url slash my custom login if it is a invalid uh username password this is what we are getting in the url called uh question mark which is basically your you know query parameter and the there is a parameter the parameter is error okay if this will that will come only if you can see if i'll go to the custom login this is the page now if you're going to do login now see the url it changed because this is an invalid uh you know invalid username and password we have entered now for that we have to display a text here like okay this is the invalid username or password uh maybe you can try with your valid combination and to do that what we can do we can display error messages right here i can go to eclipse right here what we can do we can uh maybe right here write some code to handle the invalid login scenario okay maybe think something just like this so how will be doing it so first of all i'll tell you one thing i want to do some condition check i want to do some condition check just right here whether we got that error available inside the url or not inside the parameter in inside our query parameter whether this error is available or not because if it is a successful login now imagine if i'll be entering something entering something doing login then obviously that error will not be there in inside the query parameter but imagine if it is the invalid login if you do login this error will be there inside the query parameter so i just want to check whether this error is available inside the url if available that means this is the invalid login and you have to enter your valid username and password and i have to populate that one i mean that error message right here on top of the page okay and to do that condition check what we can use any api we can use inside the jsp how can we do some condition check looping things like that using jsp any api we need to use any everyone silent men don't tell me that you don't know about this everyone knows about this any idea moyu how can you do it i think that uh c colony if that yes yes c colony from where we'll get that c colony yep stl yeah dependency don't tell me you don't know this you guys are having around four or five years experience maybe 10 years experience and i will not believe if you don't know jsk so i just need to copy this and i will first of all go to my form where is that form.xml i can put the jstldependency right here ctrl a ctrl shift f ctrl s to format it will be building my uh you know war maybe i can do a right click maven update project just to make sure i'm in the safer side okay and it's updating the maven project now i need to use that c colon c colon um if tag so the sdl core feature so jstl core tag leave because i don't want to write it manually i'll just go to some here the tag leave is this one copy that and i will go back to my login page this is my login page in top on top of this i'll be putting an url i don't know i'm just fumbling a lot today so so maybe i did shoot some time maybe three hours i did shooting and also i had a lot of client i mean lot of call today i don't know i'm fumbling a lot so anyhow prefix is c and this is my core uh code jstl core uh you know url is just right here so maybe i can write that right here i have written c right here as a prefix so i can write c colon if so c colon if so right now i can do some taste here the taste is the taste means you know what you want to test now i want to test whether in that url inside the param okay do i have error what is that error or errors what we get sorry you just write your error right copy that error right i can do param dot error just make sure this is equal to null if it is not equal to null if we have this error then display an error message maybe i can say i just to make it uh a kind of italic style and i'll say invalid login or password okay and uh what we say the file do you want to overwrite yes okay now this is what we want to do whenever the param is not equal to null whenever we have this param here in the url at that time we'll be showing that okay it's invalid username or password now let me go there and let me check login oh it's not working why it's not working oh maybe that guy is el ignore false control s because the dynamic stops are not working can see that i'm checking something dynamically so let me first of all you know make this one false now i can go there let me do refresh there you go invalid login or password let me say some random username random ur random password enter this thing invalid login or password right now can i make it a can i do style caller equal to rate ctrl s refresh test there you go maybe if i will typing anything just right here it won't work now can i type a valid uh username karthik cut thick one two three enter main what is happening karthik enter yeah there you go it's logged in right now how can you handle this logout stuff then for log out you actually don't need to do anything let's say where is coming first let's say hello hello from selenium express right now do we have any jsp uh hello world spring security rocks right this is hello world okay can i write hello world enter okay spring security rocks this is actually a jsp page right so if we'll go to login sorry your controller login controller you have another controller right maybe hello world controller here we had uh hello world right it is returning hello world uh page right right here maybe hello world page this one i can give a logout button right here okay just uh i can create another form maybe another form colon form so i'll just go back to the login.jsp and i'll just copy this to taglib because i want to use the spring form tag leave and also the jstl taglib maybe i'll be using them later but i will be putting this right here right now i'll be telling you why so right now inside this jsp page i'll just create a new form maybe i'll be creating i'll just be creating a button but i'll be creating that through a form so i'll say form colon form okay and right here the action is going to be anything but i am sorry not going to be anything it can be anything we can customize it but now i'm going to say log out class logout maybe i can write log out and that means that's last logout automatically and uh method equal to post okay because whenever you're doing a logout what it basically does that you know is basically clearing out all your cookie sanctions and it is going to invalidate the currently logged in session so we'll be seeing that internally but here inside this form i'll be just creating a button that's it input type equal to submit and value equal to log out okay control s now you have created this logout feature now you just need to activate it in your configuration file as well so where is your configuration file and maybe maybe let me first activate that e0 ignore false thing just right here as well so you make sure that you always have this easil ignored false if you are coding in eclipse or the next thing now i'll go to the config file and here i'll be just doing one more thing i'll be writing end dot and okay and dot log out there you go i don't need to do anything else i think this is going to work fine so maybe i'll do one thing okay let it restart i can go back to somewhere can i go to hello world page right now i can see i can i can see that i i have a logout field if i click here now see i am logged out right can i do karthik uh maybe karthik one two three log in i'm logged in here i do not have any page map maybe i can go for hello rolled page okay now it's saying spring security rocks now do you want to log out click on log logout you are logged out and also you can see that you are getting this logout just right here so if you want to say that hey you are logged out successfully maybe you can copy this again and you can go back to your your you know login page where is your login page login.jsp maybe you right here you can create one more sql on if i'll tell you how okay this is what we have in the parameter remember now i can copy this and i can paste it right here and i'll check one more things okay in the parameter if this logout is available if this logout is not equal to null if we have this logout then just say that you are successfully successfully logged out okay please maybe uh sign in again okay control s now maybe you can go to your you know your here and you can type in hello world say log out there you go you are you are successfully logged out try to log in with another user ayurv123 login is logged in maybe you can go to hello world hello world log out you are successfully logged out so simply say login okay invalid login or password okay perfect things are making sense so far i have not done anything i have just written and logout that's it and this endpoint that we have used in the config file this will give you a by default and pre-end point called slash logout you can use that link called slash logout you can also customize that url if you want if you do dot we can actually customize the url i'll be telling you those things later maybe what if you know you don't want to use flash logout you want to use something else right here you don't want to use this link log out you want to use my logout or something just like that you can also create your your own logout url i'll be telling you how to do it but for right now you just create a simple form uh put your you know logout url just right here or maybe you can create a simple link and put your link i mean just activate and log out just right here to activate the logout feature then you have a login feature activated here okay my custom login and you have a logout feature activated here okay so whenever someone clicks on logout it will invalidate the cookie station and you know uh i mean the session will be destroyed and obviously will be coming out of the uh you know uh from the authentication the authentication object only will be destroyed we'll be talking about that later okay so is it making sense so far we're good boarding session yeah okay okay maybe i don't have so much energy today but i feel that you know you are understanding maybe uh just quickly let me ask everyone repti making sense on these things whatever we have done i joined in today so um i will go through the video okay okay all right okay uh mohi making sense it's a blush okay felix you are okay yes i'm okay they live okay yeah okay you got any questions you can ask me no no all right okay so let's catch up tomorrow and yeah yeah felix hello yeah yes yes go ahead i wanted to ask you can you make an error page yes we can we can make error page and basically that error page concept is really good we're supposed to create a error page but for this login and log out maybe you know we can we can pop up a message there only like if you are in the login page and you are not giving the correct username and password throw him throw him a message there only that okay these are invalid password these are the invalid username okay there an error page will not be beneficial but yes we can create a separate error page for different uh thing and i'll be telling you how to configure that and basically we can have that feature right here so you can do another end okay and basically you can add exception handling and i'll be telling you how to add those thing maybe later okay felix but you can do that okay but how to do it i'm gonna tell you later okay very basic felix right now uh maybe we'll be covering everything within next five six days and after that whenever we'll be covering spring but we'll be taking forward from there okay cool so yeah yes okay so can we replace this login form this login form is going to work similar as a normal login form can we use it as like facebook login we do have yes yes we can do that we can we can also activate the social login feature just right here login through google login through facebook maybe we can create a different filter for that or there is also another way to you know do that right here maybe something just like i'll just show you one example you are talking about this one like if you are going to do some thing right here uh you want to show some okay why this logo is just like this something just like this you want right yes yes sir yeah maybe we can give facebook google linkedin maybe pinterest maybe we can give a lot of login option i'll be telling you how to add that yes we can give that right here and this login page is right now very plain i'll be also will be seeing that how to customize this one and also how to allow css and bootstrap to take control for this login page because whenever you'll be using spring security by default uh the css and bootstrap will not work okay we have to do something and i'll be i'll be telling you those things maybe um pretty soon in this week only okay cool so i'll see you guys tomorrow then bye bye thank you very much bye bye bye so right now i hope you have enjoyed listening to this session if you want to take a break take a break and practice all this sort of stuff that you have learned and also keep me posted if you're finding any kind of difficulties but right now the important thing the csrf the cross site request firstly as i promised you in the beginning of this tutorial uh i mean we'll be learning it in depth like okay i'm gonna give you a live demo no kind of theory here let's try and understand right now what cross site request for there is and i know you're excited and a lot of exciting thing you'll be seeing and exploring right now let's think like a hacker and then we will protect ourselves from that hacker make sure that whatever you are creating try to break it once you can break it you can understand okay if you can break it someone else in the online can also break your website right and then obviously we'll understand how to protect ourselves right uh so okay uh forget about all these things now let's get started with this particular csrf or c surf concept what the heck it is let's explore all right so right now let's go ahead and understand about csrf or cross site request forgery how the forgery can happen how the attackers can attack you or your website or your website customers and how you can protect your users uh from being hacked okay so to demonstrate this i have opened a website and this is a very simple website that we have created for our demo application for our spring batch so basically um as you can see we got some food items here for example gulab jamun paneer tikka chicken biryani chili chicken paneer butter masala imagine like these are some menu items of a restaurant so basically these are some menu items that we got inside a restaurant and if you are watching outside of india these are some indian dishes and you can try it as really tasty so right now imagine that um i mean a regular website visitor can see the price of the gulab jamun is 200 rupees the ponetica price is 200 uh the chicken biryani price is 200. right now he'll be able to see all these you know items price uh but let's say today is sunday and uh i am the restaurant owner i'm not the actual user and i am the owner of this particular restaurant called express tower so basically i want to give my customers a offer the chicken biryani price which is 200 i want to drop it to 150 so i will go here i'll click on update and right now it is asking me to log in because i am the restaurant owner and i want to update the chicken biryani price some random user cannot update this particular price to something else you have to be the restaurant owner to update this particular price so for update operation you have to log in first you have to tell me that you are an authorized person and you are the owner of the restaurant so you click on the update and you just give your username which is admin and the password which is admin you do a sign in now you got a form like this now you said okay the chicken billionaire price i want to drop it to 100 or 150 for the weekend so that people can have it and they can have fun and i will also get some extra orders because i'm dropping the price from 200 to 150. cool so right now you have just seen a functionality that i have changed the price of this particular menu items called chicken biryani because i am the owner of the restaurant perfect so before i proceed further i want to ask you one question let's say if i want to click on this update button again do i need to log in again and of course not if i click on update again i don't have to log in again because i have already logged in if i want to change the price again to 150 to 155 i can do it without even logging in because uh you know what i have already logged in so if i want to click on update again i have already authenticated so i don't have to log in again and again and the way this particular things works i told you already um i mean these things works because of a session or a cookie so if you'll go to your developer tools and if you'll go to the console sources what is the keys so if you'll go to application maybe i'll just do one thing i want to get this thing to here so maybe i'll click on these three dots i want to see this in the bottom if i'll go to the application if i'll go to the stories and where is the cookies if i'll go to the cookies uh so if i'll open this cookie if i click on this they can see there is a session created and this session has already been authenticated and that's why if i click on update again it's not asking me to log in again but if you take the same url con if i'll go to uh if i'll take the main url again ctrl c if i'll open a new private window new incognito window and here if i'm gonna enter this and if i am going to click on update then again it's gonna ask me for a login because this is gonna be a new client and obviously this season right now if i'll go if i'll be going to more tools developer tools right now this session has not been authenticated so let me close this let me go to the earlier one that that i was using which is this particular window and here i'm already been authenticated and this session has already been authenticated so right now if you want to click on update button of any particular link it won't ask you to log in again so whenever is sending this cookie or session to the server the server understand that okay this is the guy who has already been authenticated and i don't have to ask him to authenticate again perfect this fundamental is clear right now uh well one thing if you'll see if i'm gonna do log out if i'll do log out here this is my sign-in form right and let me open the developer tools more tools developer tools right now if i'll go to the source code of this if i'll go to the sources or if i'll go to the elements you can see my page source this particular page source code if i'll open up the body if i'll open up the div if i'll open up the form this particular this is the form right and this form is this one and you can see if i'll open up this paragraph this is my username text field my password text field now you see this i have told you this told you about this already now this particular form got a csrf token right there is a value there is a csrf token getting generated by my system so more clearly you can you can make it visible click on this view page source now you can see that you got a csrf token included with your login form so basically the form starts here and the form ends here and basically this is a login form the one that you are seeing just right here we really don't need to care about what are the other course that spring people has written to develop this particular form only what we care about there is a c surf id not only this particular form any form that you want to see in this application for an example if i'm going to close this let me go to let me login admin admin do a sign in imagine if i will go to the dashboard let's say this is a chicken biryani the price is 155 i want to do an update i'm getting a form a update form i should be getting a update from here it's loading and basically this is my form and whenever i do add to menu if i want to do chicken biryani and if i if i'll make one more eye here right now biryani with two eye here if i click on add to menu this is gonna make some changes in my server it's gonna post this data to my server and there will be some changes will happen in my server so if i do add to menu now that is a post request went to my server and if i'll go to my dashboard again i'm sure that the chicken biryani right now the name is changed like n with two i right so basically i'm posting the data so if i click on this update it's creating a form for me or it's opening a form for me and if i click on the view page source again right here also you can see if i'll go down down down this is the form this is the form the form starts from here and the form went till the end and here is a field called called sea surf and this token has been generated by spring itself and you can see the similar token just like our login page we got another token just right here okay so right now what are this token for every form that we have or for every post request you can see this form uh the action is this one and the method is post okay for every post request spring will generate a c surf in a token for you so white is generating a c surf token automatically for a post request of what is the protection it wants to give us to make you understand this let's go to the back end of this application don't do not care about the code do not see the code at all right just uh understand the concept here okay so basically uh let's do one work right now let's i don't want this csr protection i want to disable it okay if i want to disable this user protection i have to go to the back end of this application so let's go to the back end of this application so if i will go to my sds i have already opened this particular project i don't want to show you the code of this this is a different thing but inside my configuration this thing you can understand we have a security config file and in this security config file uh i mean the code should be pretty uh similar that you have already written right now what i want to do and here i got my configure method right in my configure method that is http or authorized request antmatures there's i mean there are some certain url that i want to make it authenticated i really don't need to care about this and i'm using a form login now what i want to do with this http right i mean this http uh you know argument i will do http dot c surf dot disable right now i'm disabling the csr protection now once i disable the csr protection what will happen let me stop my server and let my let me start my server again and you will see something right now if i'll disable this user protection obviously the token that you guys are seeing right now that token you won't be seeing in your form right now let me go to my google chrome again let me do a refresh right now let me let me do a logout okay i'm already been locked out so this is my sign-in form let me go here let me open the page source of this and you can see right now in this my my form starts from here and my form goes still here and there is no c surf token right now generated because i have disabled this research protection now you close this you you also close this now let me uh log login here admin in admin sign in okay now let me go to the dashboard now you can see i got chicken biryani here price is 155 if i want to do an update if i click on update i have already logged in right just right now i have logged in so i don't have to log in again so right now you can see there is a form here if i open the page source of this particular form right now again you will see that there is no c surf token right now see the form ends here the form starts here but there is no c surf protection there is no c surf token generated by spring this time because we have disabled the csr protection by writing this http dot c surf dot disable and also you can write like this uh form login you can also write and and you can just write dot c surf dot disable right you can you can either write like this or you can write like this to disable this user protection but let me choose the previous approach let me uh do things like this only so right now anyhow i'm disabling the csr protection now if the csr protection will be disabled obviously that token will not be generated by spring right now what is uh the impact is gonna make in our application now let's see that right now i have disabled the c sub protection let me go back to my website let me close everything okay now now see now see uh the problem here let me go to the dashboard first of all let me log out of this application i hope i'm already logged out let me go there okay this is my dashboard okay all right so everything is going so smooth so far for there is someone in the city a bad guy it's also browsing this website and you know what he wants to have the chicken biryani for free but well how can someone have the chicken biryani for free because this cost 155 rupees and if someone wants to have it free the price of chicken biryani should drop to zero then only i can order it for free well to drop the price to zero obviously you need to click on update and of course you need to be a restaurant owner in order to have this credential so let's say if the restaurant owner is only trying to log in and after he clicks sign in button once he logs in he can basically change the price to zero he only got the option to change the price but what if someone else if i'll copy this and if i'll go to a different window let's go with a new incognito window and here if someone else is trying to access this url obviously he needs to log in and obviously once he logs in at that time only he'll be able to change the price and nobody has that credential so nobody else apart from the restaurant owner can change the price of chicken biryani to jiro you know what the bad guy who is basically browsing this website he said well i'm a hacker and you know what i will i know that if i want to try to change the you know price of chicken biryani then obviously you know i have to log in first because if i go to the dashboard i can only see it i cannot change the price of the chicken biryani and if i want to change i have to log in and if i need to log in then obviously i need the credential what i don't have well but you know what that's fine if i'm not able to log in but i will make the restaurant owner login and i will make him login to his own account and change the price of chicken biryani to zero now you might wonder that why should the restaurant owner will do that well because the bad guy the hacker will create a trap okay and how does that trap works how does being a hacker we will force the victim we will force the website owner or will force the user of that particular website to change the price of chicken biryani to zero okay let's go ahead and observe a scenario that how hackers create different kind of traps for you and how they will make you do something even though you don't want to do that okay so let's see a scenario right now all right so now the hacker will do what so he'll go to the website let's say this is the website available in the wave and anybody can access this website so for an example if i want to see the back end of this particular form how this form has developed by the developer i can simply do a right click and i click on view paste source and i'm able to view the page source right now so if i'll go down i can see that this is the form my form tag starts from here and my form tags ends here and don't worry you don't need to understand all these things how this this has been developed is fine i'm just trying to give you an example and just try to correlate uh how the attack can be made i'm just trying to make you understand that thing so imagine this is the form uh i'm in the html form that we are seeing just right here the menu the item the price description type and add menu if we'll go here you can see that there are different fields called item name price description type and there is a submit button for add menu which is this one this is the submit button and once you click here then the form will be submitted to the server the menu item will be updated okay so whenever we click on add to menu there will be some changes will happen in the server and and if you'll if you'll click here you can see that this is my form my form starts here my form ends here and basically this is the action and the action you can see now whenever you do a submit the form will be submitted to save menu and the method is pushed by looking into this i can tell that you know when someone is trying to do a submit there will be some changes will happen in the server because it is a post method and post method is a very complex method because whenever we do a post we need we we need to do some changes in the server and obviously the data changes inside the server can have a very big impact okay uh so forget about that so the bottom line is this is basically a form that we are seeing right here and obviously whenever someone do a submit some data can just happen in the server end well this source code anybody can get it uh who is basically going to do a you know view page source whoever will do a right click a view based source in the web anybody can do that you cannot protect people to see your source code the front end source code right so someone will do what you know he will go to here right now this is a form let's say someone is gonna copy this particular form and i'll do what i'll just go to any of my notepad or notepad plus plus or any text editor let me go to the text editor for an example i'm gonna open up brackets okay this is one of my text editor you can open up your notepad do a control n the hacker will do what he'll just do a copy paste here and he will save the file right now let's say the hacker is trying to save the file as a name called um attack for example i'm writing attack attack dot html okay do a control s so one html form right now we have so this is a different uh text editor i'm using uh i i do create a very simple html form right here okay so right now i don't need all these things what i want okay there are so many fills here and what i want i will be removing all this stuff i will not remove the submit button i will have the submit button and this is the item this is the item name label and this is the price level right so i want to change the price to zero so maybe i will just make it zero and basically what i will do uh this menu the s3 the header everything i will i can remove but i'll remove it later let me do a control s now i just do some edit to this particular page and i click on i want to see the page how it looks like right now this is a different html form that i'm trying to create you can see i i got two fields right now called chicken biryani the value is set and the price is right now set to zero because i have changed the price if we'll go to the text editor i've changed the price here to zero the value is the value is zero for the price okay the name is price the parameter name is price the value is zero this is for the label price and if you want to make it uh let's say 10 rupees you can also make it 10 rupees i mean you can give any value to the price that you want and of cour and of course you know right now it will go here uh to the page uh right here and if i do a refresh you can see the price is changed to 10. so basically whatever the price i want to set i can set it just right here now this is the form this is kind of a form i want my restaurant owner to execute well you can see this is coming from a this is a simple html file that i have created called attack.html right now i want to run this html file on the client server i mean whoever the client is right now i want to attack the restaurant owner i want to uh i i want to make him uh you know run this particular file so what will happen if you'll be running this particular html the moment he'll be doing submit so where the flow will go you go to your uh go to your file that you are creating now the flow will go to express taba that this is this is maybe the project name then there is an endpoint called slash save menu so to here the form will be submitted the form when the form will be submitted whenever someone is going to click on the submit button the data all this data the value the name whatever we want to change we want to make it submitted to this particular endpoint so that this data will be saved inside the restaurant owner database inside the uh the person whom we are basically attacking on their database you know this value will be saved okay so right now i'll just do a make a little more modification let's say right now i will just do here uh http colon double slash local host colon eight zero eight zero slash express java slash save menu when someone is going to post this particular form i want the data to be submitted to this particular url i'll do a control s i'll go to my server i'll do refresh now let's say if i if someone is clicking on add menu uh see right now i'm not able to submit because of course how can i submit it it is gonna ask me to do a login again well this makes this makes sense because obviously i'm running it from a different browser and i don't know the credential of the restaurant owner so obviously if if someone is trying to hit this endpoint directly obviously he has to log in so what i mean by this is you know if you are going to run this url separately go to control c you open a incognito window maybe if it will open up this window and it will do control uh control v and if you do enter then obviously you need to log in but you don't know the credential of the restaurant owner because if you will be posting the data and if you want the biryani price to be changed to 10 rupees from 150 rupees you want to do some changes and for that you have to log in but i don't know the login of the restaurant owner but what i will do i will make the restaurant owner do the login okay so how can i mean how that particular thing works now imagine this scenario imagine the restaurant owner let me close all these things the restaurant owner is here okay imagine this is a menu dashboard uh he is already locked in imagine he is trying to do a update now imagine he is already login uh so right right now imagine the restaurant owner is already logged in i already did a login right now so right now he is just making some changes and this is the work that this restaurant owner is doing and right now he has this particular website open where he is already logged in right now what we will do as a hacker you know this form we will send it to the restaurant owner and we will make sure that the restaurant owner is opening this particular form in his browser so the moment the restaurant owner is gonna run this particular file in the browser imagine we will send him ml that hey can you please click on this link once he clicks on this link imagine if we run this particular file now this particular file will be open in the same browser and you can see in this browser he has already opened this particular website right where he has already logged in if he is already logged in there should be a session created if i'll go to more tool developer tools you can see there should be a station if i'll go to application uh cookies the the session has already been created and it's already been authenticated and now if some kind of work the restaurant owner is trying to make here like he wants to update another item or he wants to delete something he doesn't have to log in again if you click on update directly the form is open right he doesn't have to log in again right now we will take this opportunity right now he already opened the same file in a different tab and here if by mistake the restaurant owner is going to click add menu the data will be posted to the server and this form url if you see it will go to the view page source right now the data will be posted to this url and to this url if you want to post some data you have to log in but right now you the restaurant owner doesn't have to log in again right the browser doesn't know someone made the restaurant owner to open this particular page right i mean we send him an email he clicks on that link now this particular page is open now by mistake if he clicks on add menu now what will happen you will see it will go to here first of all it will go to the dashboard uh see here right now the chicken biryani price is 155 right now imagine he's clicking on add menu and you will see that the data has been posted in the server now if you'll go to the menu dashboard you see that the chicken biryani price has been changed to 10 rupees okay now you see how the hacker trapped the restaurant owner now you are gonna ask me that uh you know uh will ask do you think the restaurant owner is going to be crazy so if you're gonna send a form like this do you think he's gonna click there but i'm just giving you an example we can actually make him click there i'll just show you something right now imagine the hacker wants to change the biryani price to zero so now what i'll do i'll do control s i'll make sure uh this particular field price i'll make it a hidden field right instead of saying type equal to text i'll make this i'll make this form input hidden right and the item name also i'll make sure this is going to be a hidden field okay i don't want to make the restaurant owner feel anything suspicious so i'll make everything hidden and also i'll remove all this s3 tag and things like that i'll be removing everything remove everything and do a control s and everything is looking good all the input fields that i have like id hidden item name type is hidden and price type is hidden so he won't be seeing the form and here instead of saying add to manual i'll just make a trick win iphone 11 for free okay so i'll say get a iphone 11 for free or maybe i'll just make it a label so i'll just go here i'll create a label here and the label is going to be get a iphone 11 for free and uh here in the value the submit value i'm going to say claim so input type equal to submit value equal to claim right do a control s and right now what i'm gonna do imagine i'll go to my internet and i'm gonna say iphone 11 images i'll just try to download a nice image i'll go to the images so any iphone images iphone image can i get can i go to here product right click open the image in new tab so this is going to be a url ctrl c this image url i want to show this image go to your text editor called brackets and right here always do one thing um i will just create an image here image and here for the image i'm going to give a source the source is going to be this url this is the url to that image and also let me set some height and weight let me say height is 500 and width is uh 600 control s right now if someone is gonna run this if someone opens this now you see there will be a nice phone here and there is something called claim well the chicken biryani i'm still able to see it maybe what i can do i can go back to my text editor again why i'm still able to say chicken biryani maybe there is a typo here so type equal to hidden and the label price also i will be removing i don't want to show him any level so right now i'll go back to the same page and see how the page is looking like right now i will just email him this particular page and once he will open the url inside the same browser that where he has already logged in imagine he has open open his application just right here now in the same browser he is opening this right now by looking into this form what you will see that okay there is a phone i get a iphone for free maybe it should be get an iphone for free and if you click on claim you feel that you are claiming for this iphone but internally we are we are basically making the restaurant owner fall inside a trap so basically you can see if i'll go to the install title here if i see the biryani price right now if i'll do a refresh the chicken biryani price is 10 rupees right now i can modify it to again to zero you can see it right now you can see if i click on this update button he is already logged in there is no need to log in again so someone sent him an email he clicks on the link this particular page is opened right now if you if you click on this claim button boom something happened right he navigated to some different url you can see and if we'll go to the restaurant side right now if you if you click on the dashboard see the chicken biryani price right now change to zero right now anyone can order the chicken biryani for free and he doesn't have to pay a penny right so we have basically uh created trap for the restaurant owner we have created a simple html page just like this and we we made sure that he's gonna run this particular page in his browser okay and he will see a page like this the moment he clicks on claim right uh he will be feeling like okay he is going to have a lot of fun by having a iphone 11 for free but actually he is falling inside a trap okay and all these things happen because the csrf cross site request personally happened with him right you can see cross site the the actual site is this one okay this one is the actual site we have created a fake website just like this this is our website we have created this website the fake website if i click on the live mode if i if i want to see the preview so this is the website that we have created now cross site two sites are involved the original site and the site that we have created we with the attacker site i mean we met the restaurant owner we met the team to come inside our site and click on some option and he is not our about that he is actually changing the price of the menu which is gonna impact his original site which is here in the in the in the chicken biryani menu you can see the prices got changed to zero i hope you understand it right now i just have shown you a very simple example so you know might be you can you can understand like what about you know you are logged into your bank account okay and i being an attacker will send you something just like this and the moment you click on claim you will be ended up transferring you know two lakhs rupees from your bank account to my bank account imagine you are logged into your facebook account you got an email that hey you want to claim this iphone you click on claim and instantly your facebook account username and password got changed someone changed the username and password of your facebook account and all these things can happen unknowingly you are being a victim and you are ended of changing your username password or you have you are ended up you know transferring money to someone else you know this is what we call a cross site request forgery two two sides has been involved in this and there is a victim and the victim will be trapped by the attacker so the attacker can make you do anything as he wish okay and how to protect all these things okay hold on so before i show you the solution how you can protect yourself your application and your users from being hacked is you know by activating the csrf protection right now if you remember if i'll go into the back end where is my sts if i'll go into the back end here i have disable the csc surf protection or csr protection so spring security framework basically activate the seizure protection automatically right now you are explicitly disabling it which is a very bad thing and right now you are seeing that for an example if i if i close this right um so right now go to any of your form for an example uh if i if i'll click on this is the main website if i click on the update this is the form if i do if i'll do inspect then you can see that in the pace source i don't have any c serve protection id i don't have a i don't have a id called c surf available just right here so now what you can do now you can just go to your application and just activate the c surf so i'm commenting this particular line so so your c surf protection will be activated so i'll do ctrl s we're gonna come here and if you're gonna do a refresh you will see that the same form just try to see here you will see a another div here and basically this is a hidden field and a c surf protection is activated by spring a token is getting generated for you and this token has been generated by the server when the server basically serve you this particular page whenever you click enter here whenever you do enter now the request went to the server the server give you back this particular page right now with this page he has created the server has created a csr protection id you can see this id has been created and generated by the server so why the server is generating this particular id and sending that id or sending that seizure value with this particular form because next time whenever you'll do a submit the server will identify that whether you i mean this particular page has been designed by the server itself and this particular page has given by the server only right so that the server can track whenever you do a submit obviously this id will going again with this particular form now the server will validate like okay when i serve this particular form to the customer or to the user i have sent a csr protection id so whenever he is submitting this particular page right do he got the same id which is this one if yes then obviously no problem here you know process the request but imagine right now a attacker is trying to attack you if i will go back to at the fake website that i have created right now i'm creating a form like this when i'll be creating a fake website like this i can have access to the parameter name like item name like the id uh like the price but from where i will be getting the c serve id how can i know the c serve id the server is gonna be generating for that customer uh customer at that time so i won't be getting the c i cannot create another hidden field right here i cannot create a field like this input imagine name equal to see surf and the value how can i guess the value what will be the value the server is going to generate i cannot guess it so this csr value i cannot get is a attacker as a hacker i won't be able to get it so right now imagine your csr protection is on right now for this particular website the csr protection is on so now imagine the restaurant owner has already been logged into this application now if an attacker is trying to send him an email this particular page if the attacker is trying to send him through an email right now imagine the restaurant owner is getting an email he clicks on the link and this page is open right now even if he clicks on the claim button you know it will tell you man who are you okay it's saying that 403 forbidden right now even though in the same browser i'm already logged in right if you are clicking on some suspicious link while you are doing a save i mean while you are trying to do a submit the server will catch you and it'll say that the server understood the request but refuses to authorize it because the c surf protection is on baby and you cannot you cannot you know ignore that or bypass that that's why i understand your request but i won't be authorizing it and i will raise the 403 forbidden and i will deny the access of it so you won't be seeing any data changes for an example right now if i will go back to my peg website imagine i'm changing the biryani price to you know 30 rupees control s if i'll go back to your original dashboard previously the price was zero right now let's say someone is trying to change it to 30 by attack by by attacking your website right now let's say by mistake you ran this html page in your server the moment you click claim right uh it will say hey i won't be i won't be letting you do this thing first of all so it's the 403 forbidden and if we'll go over here if i do a refresh you'll see that the value is still zero rupees it has not been changed to 30 rupees so that's how the sea surf protection can help you and all these things is managed by a filter called scissor filter so if you go back to that application uh if i'll go to the spring tool suit so this is my you know a security filter chain i hope you understand that how to develop it so far and here the debug is already on so if i'll go to the console you will see something uh the in the filter chain and this is the filter chain that we were talking about previously inside that we also got a filter called sea surf filter and the seesaw filter is basically you know helping you to activate the c surf protection and and if you are going to disable it then obviously the scissor filter will be disabled and you won't be getting the scissor protection on for your application for an example right now if you are going to enable this line sees our disable you will see that your server will reload the changes and the next filter that you will be getting for an example let the server reload the changes and right now if it if the filter is disabled right now it will go to the website right now and i'm already logged in right so chicken biryani update oh i'm i think server is started maybe let me do a login again now imagine someone is trying to hit this this particular url i'm gonna click on preview it will open it in the same window so you will see that if someone is clicking on claim well the data has been posted to the server right now if we'll go to the dashboard you can see that the chicken biryani price is changed to 30 and all these things happen because the csr protection is off and right now if you're gonna go to your website you will see that from the security filter chain we don't have any c-serve filter here do we have any seesaw filter here right now no so that's why we are able to bypass that you know the secondary protection that we had for our application and the hacker is right now able to hack you because of your ignorance so this is how dangerous it is if you are going to do this in your application so make sure that you won't be doing the c serve disable in a real time and in a production application and that's all about cross-site request forgery so making a little sense right now what is it guys yes but i have one question so you have you have prepared another html right hacker dot some html you have created so in that if suppose the hacker also copied the csrf token uh from the main website and now okay the c serve okay how can i mean that c surf id will be specifically for that hacker imagine there is a page uh delete okay imagine your bank account transfer money page and my bank account transfer money page right so when the hacker will copy the source code i mean first of all he'll log in and he will basically copy the source code of that particular page now the c sub token that he will be getting for him the server has generated the c sub token for him only okay now whenever you will be sending a request to c sub token will be different for you isn't it yeah got it got it all right so that's it guys that's it for today's session uh we will be talking a lot of different things like you know how we can basically save our you know user credential and user password in a database in the next episode uh till now we are using basically our server memory to store our user credential but we'll we'll go a step ahead and we'll be storing our user credential in the database in the next session hopefully you are excited but before you get excited and before you uh try jumping to the next episode i'll surely encourage you to take some time and do practice and let me know in instagram i'm i'm i'm i am on instagram and my instagram id is selenium underscore express you can ask me questions right there you can also go to my facebook private uh private facebook group obviously i'm gonna recommend you uh you know go and you know follow that particular page and start posting your you know doubts right there and so that i can help and it's a very good community and people uh having experience uh they can actually help you to resolve the research so see you in the other side and i'll see you in the next episode keep practicing keep coding and till then bye bye take care and i wish you happy coding [Music] foreign

Info

Channel: Selenium Express

Views: 4,950

Rating: undefined out of 5

Keywords: spring security custom login form example, spring security authentication, spring security authentication and authorization, spring security tutorial, csrf spring security, cross site request forgery, csrf token spring security example, custom login page spring security spring boot, spring security fundamentals, spring security in spring mvc, spring security in spring boot, selenium express spring security, spring framework, spring boot security, spring boot security tutorial

Id: uzZzlar-iQI

Channel Id: undefined

Length: 111min 31sec (6691 seconds)

Published: Mon Apr 12 2021