Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) occurs when an attacker makes a victim perform malicious activity by making a user of a web application visit another website while browsing the application. This makes it cross-site, and it happens because the browser sends the cookies of that particular domain along with the request. This behaviour of the browser will enable the attacker to take advantage, and perform illegitimate requests using the Session Id of the user's session which is valid, making it impossible for the application to recognize whether it is a legitimate request or not.

For example, attackers can make users visit a gossip site by sending a link while the user is browsing a site, and this gossip link could lead to a page which has an image tag which does not really show any image, but contains a link to another site as in the tag mentioned below.

    <img src="https://..." width="0" height="0">

The image will not be visible as the width and height is zero, but the link will be called.

The attackers can also shorten the correct URL of a website to make the link look legitimate and trustable.

Making server shutdown requests, or unfriending people on a social website are some other examples of the malicious activities that can be performed.

This is possible only because the request made is a GET request. Therefore, any state-changing operation in the system which either can change data or the behaviour of the system must not be implemented using the HTTP GET method. Instead, methods like POST and PUT must be used.

Although some attack scenarios can be prevented by following this security best practice, it is still possible for attackers to attack through POST and PUT methods in certain circumstances.

For instance, an attacker can make an Administrator create a user account for the attacker by sending a link to the admin which will redirect the admin to a page with a form with hidden fields. This form will contain user information which will not be visible to the admin, and this form may contain a  misleading button which will visible to the user and make the user submit the form, or a button click event may be triggered through JavaScript when the form loads, making the user submit the form with a valid Session Id sent along with the request. Since session cookie goes along with the request, as mentioned before, the server will not be able to distinguish whether the request is legitimate or not. 

The picture included below illustrates the basic flow of this process I have explained above:

There are several ways that can be used to protect web applications from CSRF. Synchronized Token Pattern and Double Submit Cookies Pattern are two of these methods I will discuss in the future.

Basics of Neo4j (Part I)

Introduction to Neo4j

Previously, I made a post on MongoDB which is a NoSQL database.

Similarly, Neo4j is also a NoSQL database which can be used to store unstructured data. 

There are four types of NoSQL databases: Document databases, Key-value stores, Wide-column stores, and Graph databases.

MongoDB is a Document database while Neo4j falls under the Graph database category.

As the word graph suggests, Neo4j helps in storing data in the form of graphs where nodes can be drawn and connected by edges to form the graphical structure. It also assists in visualizing data.

The query language used to carry out operations in Neo4j is called Cypher.

We can create nodes and relationships in the database to store data as mentioned above. The nodes can be labelled, and these labels can be used to recognize entities similar to the names of a table in a relational database. Although there can be only one table for one entity in SQL databases, several nodes can be created with the same label in Neo4j. Each of these nodes can store data in key-value pairs. Relationships can also be labelled, and they can also store data in the form of key-value pairs. These key-value pairs are called the properties of a node or relationship. Therefore, when compared to a relational database, a node can be considered to be more like a single record of an entity where each record can be connected to other records. The key-value pairs that can be stored in each node and relationship can differ from the other nodes and relationships with the same label which means there is no fixed structure or schema for a node or relationship with a particular label, making it possible to store any and only the information we need in each node and relationship.

You can download Neo4j Community Server by visiting the link. Run the command: neo4j console in administrator mode to start the database if you are using Windows.

Basic Cypher Commands related to Nodes

How to create a node in Neo4j?

              CREATE (a:Student {name:"Dinusha", country:"Sri Lanka"})
      RETURN a

CREATE command can be used to create a node. The parentheses () indicates that it is a node. a is used as a variable. The query works without a variable too like (:Student). Variables can be used if we want to recognize a particular node at a later moment in the query. For instance, it is used in the RETURN command which is used to retrieve and display or view the created node. The command above will create a node with Student label having the key-value pairs inside the curly braces {}, separated by commas where the key and the value of a pair is separated by a colon : .

The command above will create a node in the database and return it as in the picture below:

How to match and retrieve an existing node in Neo4j?

There are two queries that can be used to perform this action.

   1.

     MATCH (a:Student) 
     WHERE a.name = "Dinusha" 
     RETURN a

MATCH is used to make a match against the existing data, where in this case it is carried out against a node. This query uses the WHERE clause to filter out the node using the value of the key:name. The WHERE clause in Cypher is similar to the WHERE clause in SQL statements.

  2.
     MATCH (a:Student{name:"Dinusha"}) 
     RETURN a

Without using the WHERE clause, this query utilizes the capability of providing key-value pair properties in the node, to match and filter out the node.

As in the SQL databases, make sure to use a key for querying if you want to retrieve a unique record, as using other attributes can return multiple values which matched the query.

Both these queries will return an output similar to the one in the picture above.

How to update the value of an existing key of a node in Neo4j?


   MATCH (a:Student{name:"Dinusha"}) 
   SET a.name="Thiwanthi" 
   RETURN a

Similar to the update statement used in SQL, Cypher also uses the SET command to update the value of an existing key.

How to update a node by adding a new key-value pair?

   MATCH (a:Student{name:"Dinusha"}) 
   SET a.university="SLIIT" 
   RETURN a

A new key-value pair can be added the same way by using the SET command.

Please note that both the update queries exhibited above can be executed using the WHERE clause instead of mentioning the property in the node as in the previous MATCH example. The WHERE clause must be positioned above the SET command if it was to be used.