Cross-Site Request Forgery (CSRF) Explained

Поделиться
HTML-код
  • Опубликовано: 26 ноя 2024

Комментарии • 73

  • @santiagotaboada4584
    @santiagotaboada4584 8 месяцев назад +8

    Wow... This is amazing!!! I have been struggling trying to understand CSRF attacks. This video has helped a lot. Thank you Ben for these amazing videos.

  • @MFoster392
    @MFoster392 8 месяцев назад +7

    Thanks as usual Ben, You're still da man bro :) I've been having some medical issues lately so I'm in the 10 possibly even15 week program but it's ok i could never work for you at this point in time anyways. I'm sure you wouldn't remember but last year about this time I commented on a video saying i was a 51yr old paraplegic who didn't know Linux, the terminal, heck i never even used a computer the only tech i new was my cell and how to email someone on it 🤷‍♂🤦‍♂. I seen one of your videos and thought i can learn bug bounty and make money from home because I'm stuck in a nursing home so i am going to teach myself so i can pay for help and get my own place. I'm proud to say I'm on my way since I'm teaching myself everything i gave 1.5 to 2 years where i can learn enough to make steady money to go with my SS check not a million dollar hacker like you but steady money and I'm proud to say I'm on track chugging along slow but steady :)

    • @NahamSec
      @NahamSec  8 месяцев назад +4

      Hey! Best of luck and I hope you feel better! ❤️‍🩹

    • @mayavik1034
      @mayavik1034 8 месяцев назад +3

      You are so inspiring, you should start a YT Channel, I bet it will go viral and will be another revenue stream. I will definitely subscribe.❤

  • @papafhill9126
    @papafhill9126 8 месяцев назад +6

    The question of "so what" (1:52), or as I like to ask about nearly everything in life, "who cares?" If people care about the vulnerability then it gains severity. The more "destructive" you can pitch the vulnerability as the higher the severity and two low severity vulns could easily become a critical vuln if combo'd so don't just report low bugs, you are only screwing yourself over.

  • @MarkFoudy
    @MarkFoudy 8 месяцев назад

    5WP and thanks for the content as always! Hope to meet you at Defcon

  • @programmerbully2556
    @programmerbully2556 3 месяца назад +2

    I don’t understand . You talk and explain the concept so fast that i can’t even comprehend what is going on

  • @vis2079
    @vis2079 8 месяцев назад

    Thanks for video, 👍 but what happened to Q&A video on CSRF ....? it is marked as private.... Will it be available sooner?

  • @sQbhAn
    @sQbhAn 8 месяцев назад +1

    I started to watch all your 5w from xss ,and i have a question, where can i find my first vulnerability ,i know how does this vulnerability loo k like but i dont know where should i looking for them, mayby every web page i working with?

  • @vallerioalvaren
    @vallerioalvaren 8 месяцев назад +1

    hallo ben thanks for making this video, I want to ask you how to execute csrf on graphql?

  • @DanMulvey
    @DanMulvey 8 месяцев назад

    5WP - thanks for the video, time to go see how good coca-cola is at csrf protections!

  • @RealEyes24
    @RealEyes24 Месяц назад

    I cannot reproduce what you are doing on notifications / email, I cannot change anything

  • @bigbugbang-lr1sy
    @bigbugbang-lr1sy 8 месяцев назад

    from 5wp. tnx a lot 'soltan' nahamsec

  • @hiamealhilwa6684
    @hiamealhilwa6684 8 месяцев назад

    I haven't found the first security vulnerabilities yet and I'm very disappointed😭

  • @GoliTech
    @GoliTech 8 месяцев назад +1

    thanks a lot Naham.

  • @shohaghasan5641
    @shohaghasan5641 8 месяцев назад

    Got a better overview from this.

  • @adhishrikothiyal.dreamz
    @adhishrikothiyal.dreamz 7 месяцев назад

    I could not understand the part where you framed an HTML element using tag. I tried opening it and was unable to execute the action that I intended to. My second question isa if I were to delete any user info I would not have the access to the other user's account usually. How would I find the id value in that case.

    • @sanjaiKumar-.-
      @sanjaiKumar-.- 7 месяцев назад +1

      You need to have 2 accounts. Now, try testing by altering the IDs and so on

    • @adhishrikothiyal.dreamz
      @adhishrikothiyal.dreamz 7 месяцев назад

      @@sanjaiKumar-.- I did but wasn't still able to replicate it.

  • @pyrexpimpin
    @pyrexpimpin 8 месяцев назад

    5wp and thank you for eveerything you do

  • @Fesssa
    @Fesssa 8 месяцев назад

    Bro will you update you Bug Bounty Course on Udemy???

  • @bugsecurity
    @bugsecurity 8 месяцев назад +4

    alert('5WP');

  • @tajsec498
    @tajsec498 8 месяцев назад

    Let’s goooo🎉

  • @madatch9947
    @madatch9947 8 месяцев назад

    What is this caido that you are using? Is it better than burpsuite?

    • @adhishrikothiyal.dreamz
      @adhishrikothiyal.dreamz 7 месяцев назад +1

      Ben is an advisor at Caido. Caido is security auditing tool. Not as good as burp but can replace burp in future.

  • @deedsenterprises
    @deedsenterprises 8 месяцев назад

    5wp for the win!

  • @leghdaf
    @leghdaf 8 месяцев назад

    \\alert('5WP')//; Thanks Nahamsec ...

  • @gk_eth
    @gk_eth 8 месяцев назад +1

    Please explain how to approach web apps with json content-type in the case of csrf?

    • @mach1ne722
      @mach1ne722 8 месяцев назад +5

      Once the content-type is application/json, browser will send the preflight OPTIONS request before forwarding the actual cross-site request. This mechanism might stop your actual request from being forwarded. If the applicaiton responds with Access-Control-Allow-Headers: Content-Type, then modified Content-Type will be allowed and the cross-site request will pass through. If the ACAH header is not allowing modified Content-Type, you can try to forcefully change it to one of the following: application/x-www-form-urlencoded, multipart/form-data or text/plain. If the application still accepts the request, you can abuse this by modifying the malicious form to include enctype=text/plain. There are some other ways to specify the Content-Type header, depends on what you use to generate cross-site request. If the application has sufficient protections against Content-Type header manipulation, you cannot abuse CSRF. Be also mindful that the ability to abuse the CSRF will also depend on if the application uses JWT token in the form of Authorization: bearer or if the session cookie is set as Lax, or Strict. This protections will also mitgate the CSRf risk.

  • @cyberX553
    @cyberX553 2 месяца назад

    cloud hacking tutorial pls

  • @harsh9343
    @harsh9343 8 месяцев назад

    what is 5wp?

  • @warnawarni5227
    @warnawarni5227 8 месяцев назад +1

    is CSRF still alive now?

    • @gk_eth
      @gk_eth 8 месяцев назад

      that's the question, lol

    • @mach1ne722
      @mach1ne722 8 месяцев назад +2

      Not a bug bounty hunter, but a security researcher and pentester here. Not really sure how it is in bug bounties, but this vulnerability might be reported quickly, so you will need to be really advanced in this topic to find the "edge" cases and bypasses in certain situations. Just last week found open-redirect, missing samesite flag on the cookie + insufficient content-type validation chain in one of the core banking last week, so I would say that it very much is alive.

    • @itsm3dud39
      @itsm3dud39 8 месяцев назад +4

      i found 5 csrf last december and got 250euro for each. csrf is still alive you have to complete all the portswigger labs to find different types of csrf

  • @ucheugbomah2228
    @ucheugbomah2228 8 месяцев назад

    not late today

  • @Gamer-zo2dm
    @Gamer-zo2dm 8 месяцев назад

    Can't help to click 😂

  • @utkarshanand8369
    @utkarshanand8369 8 месяцев назад

    5WP!!!!!!!!!!!!!

  • @victoriozuyev
    @victoriozuyev 8 месяцев назад

    5WP! Thanks @NahamSec!

  • @chrisputt9205
    @chrisputt9205 8 месяцев назад

    5WP !!!

  • @ramseyibe2844
    @ramseyibe2844 8 месяцев назад

    5WP 🎉

  • @badcops9105
    @badcops9105 8 месяцев назад

    alert(5wp)

  • @17hitchcockt
    @17hitchcockt 8 месяцев назад

    5WP!

  • @rctech1237
    @rctech1237 8 месяцев назад

    5wp❤❤❤

  • @nolongeravailable111
    @nolongeravailable111 8 месяцев назад

    W

  • @BugHunter3009
    @BugHunter3009 8 месяцев назад

    5WP

  • @roshanpokharel999
    @roshanpokharel999 8 месяцев назад

    5wp

  • @jondo-vh8tx
    @jondo-vh8tx 6 месяцев назад

    good content but you talk to fast

  • @challengeaccepted6382
    @challengeaccepted6382 8 месяцев назад

    5WP

  • @ucheugbomah2228
    @ucheugbomah2228 8 месяцев назад

    5wp

  • @rafaelgonzalez9793
    @rafaelgonzalez9793 8 месяцев назад

    First

  • @mohammedaashique2893
    @mohammedaashique2893 8 месяцев назад

    5WP Thank you soo much @NahamSec

  • @TheEinzzCookie
    @TheEinzzCookie 8 месяцев назад +2

    First

  • @constantRic
    @constantRic 8 месяцев назад

    5WP!!

  • @diy_tech_genius
    @diy_tech_genius 8 месяцев назад

    5wp

  • @iljabrudel6224
    @iljabrudel6224 8 месяцев назад

    5WP

  • @user-ew5vj1sl1u
    @user-ew5vj1sl1u 8 месяцев назад

    5wp

  • @tthtlc
    @tthtlc 13 дней назад

    5wp

  • @namanyadav5668
    @namanyadav5668 8 месяцев назад

    5WP

  • @lovelivinglife904
    @lovelivinglife904 8 месяцев назад

    5wp

  • @ishowmonkey5918
    @ishowmonkey5918 8 месяцев назад

    first

    • @Jarling-so4oi
      @Jarling-so4oi 2 месяца назад

      nobody cares

    • @ishowmonkey5918
      @ishowmonkey5918 2 месяца назад

      @@Jarling-so4oi this was 6 months ago lol ur a child

  • @BackF0x
    @BackF0x 8 месяцев назад

    5wp

  • @GhostNongs
    @GhostNongs 8 месяцев назад

    5wp

  • @markfuentes3666
    @markfuentes3666 8 месяцев назад

    5wp

  • @rafaelgonzalez9793
    @rafaelgonzalez9793 8 месяцев назад

    5wp

  • @646U
    @646U 8 месяцев назад

    5wp

  • @bild96
    @bild96 8 месяцев назад

    5wp