Cross-Site Request Forgery (CSRF) Explained

  Рет қаралды 469,544

PwnFunction

PwnFunction

Күн бұрын

Пікірлер: 269
@forceboxed
@forceboxed 2 жыл бұрын
@4:53 one of the important things to mention here is that the csrf token is good only as long as it is mapped to the user's session ID in the backend. Otherwise, the attacker might simply obtain a valid CSRF token by visiting the main website themself and inject it into the malicious requests. Tying the token to the user's session and validating that on the backend for each request is very important.
@hydr0nium_
@hydr0nium_ 5 жыл бұрын
Seriously cant say it enough. I freaking love your videos
@kvenk001
@kvenk001 2 жыл бұрын
I second that notion
@justforyoutube1319
@justforyoutube1319 5 жыл бұрын
i came from LiveOverflow channel , i so glad to be here ! your channel is interesting , love it . keep up the good work
@jammincoder
@jammincoder 3 жыл бұрын
Man, I tried researching how CSRF attacks worked last year and I never got a solid grasp of it. This video changed that. As a cybersecurity enthusiast and web developer, this is super helpful!
@yasirhussain1875
@yasirhussain1875 3 жыл бұрын
No words to describe how much informational these videos are. Thank you.
@MaysField
@MaysField 4 жыл бұрын
"Cat-Site Request Forgery"
@a.yashwanth
@a.yashwanth 4 жыл бұрын
I watched around 15 videos regarding csrf and you are the only one who explained it clearly. Also not everyone stressed on "the browser automatically sends the cookies".
@shreyanshdesai3152
@shreyanshdesai3152 4 жыл бұрын
truuu
@kornelijekovac9793
@kornelijekovac9793 4 жыл бұрын
I still don't understand it. What does it mean? What cookies? All the cookies from all the tabs opened in the browser are sent with all POST requests that are being made on whichever tab?
@bsmldy8681
@bsmldy8681 4 жыл бұрын
@@kornelijekovac9793 All the cookies from one website will be sent to the server of that website on each request (with website I mean domain, not origin). The most important cookie is the one with the session id (SID), which identifies the user. More about this can be found if you search for "session management".
@kornelijekovac9793
@kornelijekovac9793 4 жыл бұрын
@@bsmldy8681 But how can cookies from two different tabs intermingle?
@bsmldy8681
@bsmldy8681 4 жыл бұрын
not sure what you mean by that
@dragonballZbigBang
@dragonballZbigBang 5 жыл бұрын
There's tens of thousands of videos on Csrf but you easily beat all of them. Yet the number of views you got aren't nearly as close as theirs. Niche youtubers like you are ahead of the time. I hope people like you are revered in coming 5 years
@PwnFunction
@PwnFunction 5 жыл бұрын
Yeah, late in the game, but it's totally fine, I'm just trying to give somethin back to the community.
@OviDB
@OviDB 2 жыл бұрын
Look at it now ;)
@gerolori
@gerolori Жыл бұрын
Damn, dude really planted the seed and let it grow
@sathvikmalgikar2842
@sathvikmalgikar2842 2 жыл бұрын
we need more of these. literally a free service to everyone genuinely interested
@nullpwn
@nullpwn 3 жыл бұрын
Wow , I love the graphical explanatory video, really easy to follow and understand in concordance with explication
@sleepydev4700
@sleepydev4700 3 жыл бұрын
the music and naration in the intro made me feel like I'm discovering a mistery in another new world, lol. great video
@CYB3Rsynth
@CYB3Rsynth 2 жыл бұрын
Third video of yours that came up, and perfectly described the concept. Subscribed
@theawless
@theawless 3 жыл бұрын
Great content. I can't believe this is free! PS: I love your colour scheme
@danialabsolute688
@danialabsolute688 2 жыл бұрын
I really enjoyed your theme of explanation and the background music. sounded adventurous
@rasikagayangunarathna
@rasikagayangunarathna 4 жыл бұрын
I genuinely don't understand why you stop creating videos. Your style is so cool.
@dogcat6221
@dogcat6221 3 жыл бұрын
He's back!
@krantisatyam
@krantisatyam 3 жыл бұрын
This is one of the best channel I have encountered 😍
@JoshuaKisb
@JoshuaKisb 4 жыл бұрын
was curious if tokens really work since you could just make a GET and read the token then post. glad you answered that question very quickly. awesome video. i will subscribe
@nivelis91
@nivelis91 5 жыл бұрын
You definitely deserve more subs ;)
@yashdeephinge
@yashdeephinge 2 жыл бұрын
Great Video and your drawing is amazing bro that google logo and the adobe logo was so perfect.
@miguelnunez1435
@miguelnunez1435 5 жыл бұрын
Just came by from watching LiveOverflow's video. I subbed and put on the bell notification on. This channel looks so cool
@MinusFourmn
@MinusFourmn 2 жыл бұрын
As I understand it, fetch and XHR require `useCredentials` to send the cookies along with the request which needs to be explicitly stated on the CORS header Access-Control-Allow-Credentials. Otherwise cookies are not being sent and the CSRF fails.
@subhashsarangi
@subhashsarangi 5 жыл бұрын
You are just awesome man. Why doesn't KZbin show such search results at the top. I couldn't find you when I needed but now I am happy. Thanks bro..
@mitchelline
@mitchelline 5 жыл бұрын
Incredibly amazing video as always. Very great explanation, and I love your color choices and how you draw/write everything
@itsfarseen
@itsfarseen 3 жыл бұрын
Love the style of explanation!
@kid_kulafu_1727
@kid_kulafu_1727 4 жыл бұрын
Bruh you need to create more content like this. Also you give example are to fast but over all your the best. 11/10.
@aminvogue
@aminvogue 4 жыл бұрын
Wunderbar...................U r one awsme teacher. Hats off to the effort you put in, for us mere novices.
@darklord555X
@darklord555X 2 жыл бұрын
the best channel, thanks brother for the knowledge
@ekaterinazakharenkova5826
@ekaterinazakharenkova5826 Жыл бұрын
Best explanation I've ever heard!
@casual-corner-k8s
@casual-corner-k8s 5 жыл бұрын
This is very well explained, appreciated
@ph0sgene967
@ph0sgene967 9 ай бұрын
As someone who pioneered csrf in 2007 this is a great video
@joshuz101
@joshuz101 2 жыл бұрын
I often find it hard to focus on educational videos like this, but somehow your videos have all of my attention. Not sure what voodoo you're using but it's working!
@berakoc8556
@berakoc8556 2 жыл бұрын
You put lots of effort into your videos. Transitions are amazing. Wonderful production.
@farzadsole3784
@farzadsole3784 3 жыл бұрын
Amazing content as always, big fan of your videos and tutorials, thank you so much ;D
@venkaraj
@venkaraj 2 жыл бұрын
Crystal clear explanation. Thanks a ton
@VietnamSteven
@VietnamSteven 5 ай бұрын
incredibly informative!
@aayushkubitkar4827
@aayushkubitkar4827 5 жыл бұрын
Came from Stök's channel. Absolutely loving it now! Subscribed and belled👏
@samuelk3076
@samuelk3076 5 ай бұрын
Very nice video, I love the explanation!
@fairchild9able
@fairchild9able 3 жыл бұрын
Thanks for making this. Really nice!
@king998100
@king998100 Жыл бұрын
probably the best explanation out there
@paulcalinovici8808
@paulcalinovici8808 4 жыл бұрын
Before sending the delete request, isn't the browser sending a preflight OPTIONS request to the server which will return an error and the delete request won't happen anymore ?
@aakashthakur1415
@aakashthakur1415 3 жыл бұрын
I was thinking the same. Ideally CORS would have stopped this.
@aakash18in
@aakash18in 3 жыл бұрын
yes. In case of Ajax request , SOP will stop the request as the preflight will return error
@ororabrian7106
@ororabrian7106 2 жыл бұрын
yeah. Just as a note, It seems that you can actually send a simple request to the server and the request will go through but you won't be able to read the response due to cors. namely if you don't have any headers on your request but then again that means you won't have any cookies and won't be carrying any state so pretty useless all in all.
@SunPodder
@SunPodder 2 жыл бұрын
As cors is just client sided, for a hacker this isn't difficult to bypass it
@spicybaguette7706
@spicybaguette7706 Жыл бұрын
@Orora Brian You can still do CSRF for non-authenticated requests, such as an anonymous message on a blog post or something, which is not entirely harmless
@stanpeng5931
@stanpeng5931 3 жыл бұрын
Such a good video. I love the voice as well: cute and reliable
@staynjohnson4221
@staynjohnson4221 4 жыл бұрын
12:47 I dont understand why the json data + the content type header are first passed through a redirect(?) then to the vulnerable site?
@peterfarhat5767
@peterfarhat5767 4 жыл бұрын
Because simply flash will forward the request as string and then the site will convert it into header and “ key = value “ type so that it would be readable by the API of vuln.com!
@youarethecssformyhtml
@youarethecssformyhtml 20 күн бұрын
Because the redirect can send cookies
@mosesegboh
@mosesegboh 4 жыл бұрын
you concept and style of teaching is lovely!..keep it up
@nickdaone
@nickdaone 2 жыл бұрын
You need more likes. Your work is needed for every developer.
@matthewdraevich4214
@matthewdraevich4214 4 ай бұрын
Great explained, thanks🔥
@zb2747
@zb2747 3 жыл бұрын
Great video, to the point and thoroughly explained the main concept.
@eshaan7_
@eshaan7_ 5 жыл бұрын
Thankyou for your videos. I would very much like to see a video on Insecure CORS and ways to escalate it :)
@ETbutforreal
@ETbutforreal 4 жыл бұрын
You explained this better than the skillsoft guys, that's for sure
@playboicartihey
@playboicartihey 2 жыл бұрын
this is the best. freaking cool
@dougthefiddler
@dougthefiddler 3 жыл бұрын
Very clear explanation. Thanks!
@Gigolas88
@Gigolas88 5 жыл бұрын
wtf you deserve way more likes on this
@zTech300
@zTech300 5 жыл бұрын
Great explanation bro, Keep up the good work. Wish ya da best.
@princepatwari365
@princepatwari365 4 жыл бұрын
Great videos.........Thank you for posting them
@mahirmolai3834
@mahirmolai3834 3 жыл бұрын
Was watching live overflows vid a month ago, and look at me now, watching each video of yours everyday
@gamingwolf3385
@gamingwolf3385 Жыл бұрын
Amazing 😅 , i learn a lot of new concepts in one video , but i think i will re-watch it later , some of them seem confusing !
@Meleeman011
@Meleeman011 4 жыл бұрын
this made me rethink my web security holy shit.
@MrVinaybhandari
@MrVinaybhandari 5 жыл бұрын
Videos are so interesting and clear with basic to advance. Keep going 😀
@raulherbert
@raulherbert Жыл бұрын
Awesome explanation! Tks!
@yeshwanth.alampalli
@yeshwanth.alampalli 4 жыл бұрын
Basic question 😐=> If the same origin policy blocks the request from different domain, how can cat.com make request on behalf of vulnerable.com? 🤔
@PwnFunction
@PwnFunction 4 жыл бұрын
Thats an example of Cross Origin Request, you can make requests to any website, but the response can't be read due to SOP unless the site let's you explicitly.
@shivamyadav1283
@shivamyadav1283 2 жыл бұрын
Is it true that SOP allows to send request cross domain but not read the responses? Why would even a request be even triggered by the browser if there is a SOP?
@kesogonzaga2671
@kesogonzaga2671 4 жыл бұрын
4:00 how did cat.com get my session id?
@esquilax5563
@esquilax5563 4 жыл бұрын
The attacker who created cat.com never needs to know your session ID. The javascript in cat.com makes a POST request to vulnerable.com, the browser sees that it's contacting vulnerable.com, and it automatically includes the cookies (including session id)
@dalewatson3978
@dalewatson3978 4 жыл бұрын
@@esquilax5563 sorry, so after i make request from vulnerable.com, and then i browsing another domain, and somehow open cat.com, the cat.com still can access my previous vulnerable.com cookies ? is it across the tab browser? what if i re-open the browser, will the request from cat.com still including the vulnerable.com cookies ? then cat.com really needs to know our history browser, so cat.com knows what was the useful cookies before ? does opening from private/incognito browser prevent csrf ?
@esquilax5563
@esquilax5563 4 жыл бұрын
​@@dalewatson3978 It goes like this: browser: hey vulnerable.com server, can you send me your content? vulnerable.com: sure, here it is, and please remember "session=123" ...later... browser: hey cat.com, can you send me your content? cat.com: sure, here it is (snigger) browser: hmm, the content says I should also ask vulnerable.com to do x, y, and z browser: hey vulnerable.com, can you do x, y, and z? And BTW you told me earlier "session=123" vulnerable.com: session ID checks out, OK, I'll go ahead and do x, y, and z. The browser knows *all* its cookies for *all* sites. When it makes a request to a site, it will only send the cookies for that site. Incognito mode can help in some cases. When you start off in incognito mode, you have no cookies, and they'll all be cleared when you close the incognito window. But you can still set cookies in the meantime. So if you're in private mode and you log into vulnerable.com, the same thing can happen. If you're only logged into vulnerable.com in your regular, non-private browser, then you can go to cat.com in private mode and this attack won't work. About closing and re-opening the browser, it all depends on when the relevant cookie is cleared. It can be set to expire when you close the browser, or to expire after a certain amount of time, or it can stay around forever. The server specifies how long the cookie should stay around when it sets the cookie. That's why many sites can decide to let you stay logged in even after the browser is closed and re-opened.
@trishulbhuyar181
@trishulbhuyar181 4 жыл бұрын
Won’t CORS will restrict the call, when delete request initiated from cat.com to vulnerable.com ?
@susovangarai6731
@susovangarai6731 4 жыл бұрын
your channel is a gold mine !!
@kds-2049
@kds-2049 4 жыл бұрын
Explained well, props to you
@chaosknight3175
@chaosknight3175 Жыл бұрын
Ok, good stuff. Subscribed.
@xa3da4
@xa3da4 3 жыл бұрын
I Love PwnFunction Video's ILLUSTRATION🔥🙌⚡😍
@zxuiji
@zxuiji 3 жыл бұрын
3:49, uh but there's an origin parameter there, that means the server should be the one responsible for checking the origin has authorisation prior to carrying out any command it has sent
@ororabrian7106
@ororabrian7106 2 жыл бұрын
I'm not sure about this I think that the server can decide to check this at the own descretion however this video is in the context of "what the browser does". I guess this video is about the security from the browser point of view.
@HarujiCat
@HarujiCat 9 ай бұрын
You saved me. Thank you so much
@chimithras4746
@chimithras4746 2 жыл бұрын
Great Explanation ✅
@a.yashwanth
@a.yashwanth 4 жыл бұрын
I get this as response headers but I still get the chrome cross origin error. access-control-allow-headers: Content-Type access-control-allow-origin: localhost content-length: 0 content-type: text/html; charset=UTF-8 date: Mon, 16 Mar 2020 15:52:28 GMT server: Apache status: 200
@nolongeravailable111
@nolongeravailable111 2 жыл бұрын
Nice video thanks for the amazing content
@MohaDou
@MohaDou 4 жыл бұрын
That's crazy explanation, Thanks a lot
@eLab43
@eLab43 3 жыл бұрын
Question: Why not just use postman and set the headers? Thanks
@ororabrian7106
@ororabrian7106 2 жыл бұрын
You can.... If you want to hack only yourself.
@yuvalozeri3142
@yuvalozeri3142 5 жыл бұрын
Amazing video, so clear! thank you
@jenniferwood4916
@jenniferwood4916 5 жыл бұрын
Love your videos! Please make more :3
@soufianeabbad887
@soufianeabbad887 5 жыл бұрын
Awesome video. I hope that you explain some bugs like vulnerable flash files, JSONP and email spoofing
@behnkenj
@behnkenj 4 жыл бұрын
Well done sir, keep them coming! :)
@artemislwof9264
@artemislwof9264 5 жыл бұрын
Fucking A . i had to do couple of days of deep research to understand some of those concepts in order to have some idea about where the exploits would be . you just explained it PERFECTLY in simple terms and visuals and confirmed some of my thoughts :D . u did share some valuable and accurate information despite supid youtube terms n policies. Thank you sir for the clues XD
@Odys42
@Odys42 3 жыл бұрын
Awesome ! Thank you !
@kivuosark2088
@kivuosark2088 3 жыл бұрын
Yes! We cannot access external website within but what about window.postMessage() ?
@khoroshoigra8388
@khoroshoigra8388 Жыл бұрын
most of the cases of being bypassed by other domains for a kind of request is by using */wildcard in CORS
@timon5851
@timon5851 2 жыл бұрын
4:08 why is cat-website allowed to send a cookie which is not his own? Where else does it now the sessionID to give a valid answer to the server? Sorry im kinda lost
@ororabrian7106
@ororabrian7106 2 жыл бұрын
Sometimes it's warranted. sometimes one site depends on you being authorized on another website.
@mitchelline
@mitchelline 5 жыл бұрын
I found a CSRF on a large website with > 500k members, so it's more common than you think! It allowed me to send their coins to my account, and those coins were bought with real money, so it was a decently critical flaw
@karansh491
@karansh491 4 жыл бұрын
Hey @PwnFuncrion why you're not uploading any videos now 😐
@mk9834
@mk9834 4 жыл бұрын
love your videos this is a god's work
@harshitjoshi3082
@harshitjoshi3082 2 жыл бұрын
This is awesome !
@TheShayMo1
@TheShayMo1 5 жыл бұрын
Hi PwnFunction , just found your channel , your animations on this video are fantastic , can you share what app you use ? Thanks & Great Job
@PwnFunction
@PwnFunction 4 жыл бұрын
Adobe animate to draw, Audacity/Auditions to edit sound and Premiere pro for editing vid.
@kurogaming3205
@kurogaming3205 4 жыл бұрын
I love your videos there amazing , professional ! but I guess slow down a little bit for new people, other than that your the best I have ever being taught
@vitorgouveia5378
@vitorgouveia5378 2 жыл бұрын
but doesn't CORS prevent this?
@brod515
@brod515 3 жыл бұрын
let me get this right, if cat.com sends a request to vulnerable.com the browser automatically sends cookies of vulnerable.com with the request but cat.com can't read the response right. they crucial part is that cat.com can't read the response.
@vanjavk
@vanjavk 2 жыл бұрын
I feel like you're correct
@indientis6003
@indientis6003 2 жыл бұрын
*Sees **11:42* *Cries with Respect*
@yashsodha1406
@yashsodha1406 5 жыл бұрын
Does the Flash CSRF JSON trick still work?
@salahbaddou8583
@salahbaddou8583 5 жыл бұрын
yes it does, it requires the victim to allow flash though, but it works neverthless
@mohitpal1505
@mohitpal1505 5 ай бұрын
But isn't the cookie domain-specific? When we click the cat site(evil) would it still send the cookie(containing sensitive data like sessionId), though it is not associated to hat cat's domain?
@rulzz2581
@rulzz2581 4 ай бұрын
You are right, cookies are domain-specific. If you have two different websites opened in your browser, they will not know the Cookies of each other. But the thing is that your BROWSER knows them. And it's your browser that automatically sends them with every request to the website. Otherwise, you were supposed to re-login into the website every time you wanted to make any action.
@LiEnby
@LiEnby 3 жыл бұрын
Wait thou the form will be sent with "Content-Type: application/x-www-form-urlencoded" and NOT "Content-Type: application/json"!!
@ororabrian7106
@ororabrian7106 2 жыл бұрын
This is the problem I see with the JSON workaround as well. how do you get around this 🤷‍♂️. I'm not even sure that json data is sent in the same way form data is sent.
@LiEnby
@LiEnby 2 жыл бұрын
@@ororabrian7106 server may not care about content type..
@ororabrian7106
@ororabrian7106 2 жыл бұрын
@@LiEnby yeah that's true. alot of this is also relying on a rely lax server 😂 ... from what I've read I believe a resonable server would also look at origin and referrer
@jimmyliu2982
@jimmyliu2982 3 жыл бұрын
But how is it possible to post json via html form, where entry is urlencoded?
@atharvakadlag1937
@atharvakadlag1937 3 жыл бұрын
You're videos are awesome
@oussamasethoum1665
@oussamasethoum1665 7 ай бұрын
Can cors prevent this request when credentials are included and the cookie is http only?
@kaos092
@kaos092 11 ай бұрын
Cookies from other tabs / domains aren't sent to the server.
@funtutes5122
@funtutes5122 4 жыл бұрын
is there a video done by this guy on double submit cookies pattern?
@585ghz
@585ghz Жыл бұрын
nice video! thanks a lot!!!
@thomaseaso
@thomaseaso 5 жыл бұрын
Excellent Explanation
Cross-Site Scripting (XSS) Explained
11:27
PwnFunction
Рет қаралды 461 М.
Difference between cookies, session and tokens
11:53
Valentin Despa
Рет қаралды 666 М.
黑天使被操控了#short #angel #clown
00:40
Super Beauty team
Рет қаралды 61 МЛН
Cat mode and a glass of water #family #humor #fun
00:22
Kotiki_Z
Рет қаралды 42 МЛН
Beat Ronaldo, Win $1,000,000
22:45
MrBeast
Рет қаралды 158 МЛН
XML External Entities (XXE) Explained
20:11
PwnFunction
Рет қаралды 160 М.
Cross-Site Request Forgery (CSRF) Explained
11:59
NahamSec
Рет қаралды 26 М.
Your App Is NOT Secure If You Don’t Use CSRF Tokens
9:57
Web Dev Simplified
Рет қаралды 137 М.
HTTP Parameter Pollution Explained
11:08
PwnFunction
Рет қаралды 255 М.
Cross Site Request Forgery - Computerphile
9:20
Computerphile
Рет қаралды 772 М.
The Same Origin Policy - Hacker History
12:19
LiveOverflow
Рет қаралды 109 М.
Cracking Websites with Cross Site Scripting - Computerphile
8:34
Computerphile
Рет қаралды 1,5 МЛН
Don't make random HTTP requests.
14:02
PwnFunction
Рет қаралды 390 М.
Web Server Concepts and Examples
19:40
WebConcepts
Рет қаралды 265 М.
Running a Buffer Overflow Attack - Computerphile
17:30
Computerphile
Рет қаралды 2 МЛН
黑天使被操控了#short #angel #clown
00:40
Super Beauty team
Рет қаралды 61 МЛН