4

I am Looking at the Network activity of this page: https://helm.csod.com/ux/ats/careersite/4/home?c=helm&lang=de-DE.

Specifically at the post request with the Name: "search". Its using an authorization token.

tldr: How is the following authorization token stored on the Client side? enter image description here

Goal:

I would like to understand how the browser (client-side) stores this authorization token. I dont Need to get the data or know how to scrape with selenium or sthg. I would just be interested in the mechanics behind.

What i tried:

I find the token in the page source: view-source:https://helm.csod.com/ux/ats/careersite/4/home?c=helm&lang=de-DE.

  • It seems like there is an object csod created in /player-career-site/1.15.4/pages/home.js.
  • then the key is stored in csod.context.
  • Finally, csod.player.initialize(csod.context) is called.

Unfortunately, i failed digging in the Code and finding These function as there where too many Matches for initialize and my js are skills too bad. As storage i am only Aware of the Cookies. It might be transformed / encrypted and stored in the cookies? But how is it then restored to the "original" token, before being added to the request Header?

Tlatwork
  • 1,445
  • 12
  • 35

2 Answers2

4

This seems to be a CSRF prevent method.

The token is created with a key in the back end, it stores the original key in a session and sends the token to the client side.

When the client sends a request, the token is posted with the data as a header or with the data, then the back end gets the stored key in the session, generate the token with the same method and compare it with the posted token. If they are equal there is no problem, access granted.

It is not necessary to restore as you can't decrypt that depending on the algorithm (sha256, md5, etc)

And the browser don't do that, as it can be manipulated, there is no sense to.

  • thanks a lot for your answer. Thats already great to know. I did not really get how the key is stored on the Client side. Do you have any idea how that works? – Tlatwork Dec 18 '19 at 10:01
  • It can be stored in a meta tag, in ajax setup on jquery side, or as an input hidden in forms, anything that can handle a request can store it. –  Dec 18 '19 at 16:03
  • hmm Maybe i missunderstand something, but i would assume the token would have to be stored on Client side (if they are used in a request header),... woulldnt meta tag, Input hiiden in forms, etc. be the Server side? – Tlatwork Dec 20 '19 at 22:02
  • The token is stored in the client side and the key in a session in the server side, take a look here [https://stackoverflow.com/questions/6287903/how-to-properly-add-csrf-token-using-php](https://stackoverflow.com/questions/6287903/how-to-properly-add-csrf-token-using-php) –  Dec 20 '19 at 23:59
2

The token sent here is JWT(JSON Web Token). This is a widely used standard authentication mechanism. You can create your own token in any languages like JS, Java, PHP, Python, etc.

I am adding a basic authentication flow:

  1. Let's say a user comes on a form. Enter his email & password.
  2. Now an HTTP request is being sent to the server with credentials. The backend server checks the details and if successful, then returns a response containing the authentication token.
  3. Most of the time this token is stored in localstorage and sometimes in cookies.
  4. Now for every request the token is picked from the stored location and sent in the header.
  5. On the backend, it is checked if the request header has the details or not. And then respond accordingly.
  6. At last, whenever someone logs out then that token is removed from the front end.

I hope it helps! Let me know if you have any queries

akbansa
  • 381
  • 1
  • 11
  • great info thank you. Thats actually Closer to the answer i was Looking for. Sadly the Bounty was auto-assigned already. What would you say, where is it stored for this page?If i delete the Cookie ASP.NET_SessionId i cant use the filters anymore. Could it be the case that the authorization Code is generated from this Cookie? (Deleting local or session storage does not have an Impact,..) – Tlatwork Dec 24 '19 at 17:53
  • The cookie is set when session-based authorization is implemented. – akbansa Dec 25 '19 at 18:49
  • hmm, i am Aware when the Cookie is set. The Question is more whether this is the Cookie/value that is used as an Input for the Auth-key and how the Cookie value is transformed to the Auth-key? What algorithm is used there. Would be super interested to understand that. Thanks anyway, i really appreciate the time you take!! – Tlatwork Dec 25 '19 at 18:58
  • 1
    Auth-key to cookie is a hash created on the server-side, and when the request is sent to server that checks if requests session cookie or not. And then decode and verify. You can learn more https://codeahoy.com/2016/04/13/generating-session-ids/ – akbansa Dec 25 '19 at 19:02