18:24 if anyone else was also confused when he says POST-AUTH REDIRECT he is talking about after the Oauth dance is over, he doesnt mean POST based oauth flow.
Even though the state parameter is present in the request you should always check for CSRF I've found many targets vulnerable to this . Most of the people leave as soon as they see State parameter in the request. This happens because of misconfig in OUath flow where it doesen't validate the state parameter server side . It only checks if it is present or not.
BBRE guy is the only person who cares about eyesight of content consumers, he used large fonts which we can read easily
You're welcome ;)
18:24 if anyone else was also confused when he says POST-AUTH REDIRECT he is talking about after the Oauth dance is over, he doesnt mean POST based oauth flow.
I see how this can be confusing. Since then, I have changed how I say this part to after-auth redirect to be clearer.
Even though the state parameter is present in the request you should always check for CSRF I've found many targets vulnerable to this . Most of the people leave as soon as they see State parameter in the request. This happens because of misconfig in OUath flow where it doesen't validate the state parameter server side . It only checks if it is present or not.
Also the login csrf is still possible because we still have the state and we can send it to the user
very true! The presence doesn't mean it's checked
most site now uses strict url validation on redirect_uri not even extra dot can be added btw thx greg
Thanks Ben and Enjoooooooy 😊
I love and enjoy hearing him say enjoy
@@ZarakKhanNiazi All of us like it 😁✌️✌️✌️
Thanks Ben!
Hey brother can you add these to the playlist
this was nice
Second