@4:53 one of the important things to mention here is that the csrf token is good only as long as it is mapped to the user's session ID in the backend. Otherwise, the attacker might simply obtain a valid CSRF token by visiting the main website themself and inject it into the malicious requests. Tying the token to the user's session and validating that on the backend for each request is very important.
@hydr0nium_5 жыл бұрын
Seriously cant say it enough. I freaking love your videos
@kvenk0012 жыл бұрын
I second that notion
@justforyoutube13195 жыл бұрын
i came from LiveOverflow channel , i so glad to be here ! your channel is interesting , love it . keep up the good work
@jammincoder3 жыл бұрын
Man, I tried researching how CSRF attacks worked last year and I never got a solid grasp of it. This video changed that. As a cybersecurity enthusiast and web developer, this is super helpful!
@yasirhussain18753 жыл бұрын
No words to describe how much informational these videos are. Thank you.
@MaysField4 жыл бұрын
"Cat-Site Request Forgery"
@a.yashwanth4 жыл бұрын
I watched around 15 videos regarding csrf and you are the only one who explained it clearly. Also not everyone stressed on "the browser automatically sends the cookies".
@shreyanshdesai31524 жыл бұрын
truuu
@kornelijekovac97934 жыл бұрын
I still don't understand it. What does it mean? What cookies? All the cookies from all the tabs opened in the browser are sent with all POST requests that are being made on whichever tab?
@bsmldy86814 жыл бұрын
@@kornelijekovac9793 All the cookies from one website will be sent to the server of that website on each request (with website I mean domain, not origin). The most important cookie is the one with the session id (SID), which identifies the user. More about this can be found if you search for "session management".
@kornelijekovac97934 жыл бұрын
@@bsmldy8681 But how can cookies from two different tabs intermingle?
@bsmldy86814 жыл бұрын
not sure what you mean by that
@dragonballZbigBang5 жыл бұрын
There's tens of thousands of videos on Csrf but you easily beat all of them. Yet the number of views you got aren't nearly as close as theirs. Niche youtubers like you are ahead of the time. I hope people like you are revered in coming 5 years
@PwnFunction5 жыл бұрын
Yeah, late in the game, but it's totally fine, I'm just trying to give somethin back to the community.
@OviDB2 жыл бұрын
Look at it now ;)
@gerolori Жыл бұрын
Damn, dude really planted the seed and let it grow
@sathvikmalgikar28422 жыл бұрын
we need more of these. literally a free service to everyone genuinely interested
@nullpwn3 жыл бұрын
Wow , I love the graphical explanatory video, really easy to follow and understand in concordance with explication
@sleepydev47003 жыл бұрын
the music and naration in the intro made me feel like I'm discovering a mistery in another new world, lol. great video
@CYB3Rsynth2 жыл бұрын
Third video of yours that came up, and perfectly described the concept. Subscribed
@theawless3 жыл бұрын
Great content. I can't believe this is free! PS: I love your colour scheme
@danialabsolute6882 жыл бұрын
I really enjoyed your theme of explanation and the background music. sounded adventurous
@rasikagayangunarathna4 жыл бұрын
I genuinely don't understand why you stop creating videos. Your style is so cool.
@dogcat62213 жыл бұрын
He's back!
@krantisatyam3 жыл бұрын
This is one of the best channel I have encountered 😍
@JoshuaKisb4 жыл бұрын
was curious if tokens really work since you could just make a GET and read the token then post. glad you answered that question very quickly. awesome video. i will subscribe
@nivelis915 жыл бұрын
You definitely deserve more subs ;)
@yashdeephinge2 жыл бұрын
Great Video and your drawing is amazing bro that google logo and the adobe logo was so perfect.
@miguelnunez14355 жыл бұрын
Just came by from watching LiveOverflow's video. I subbed and put on the bell notification on. This channel looks so cool
@MinusFourmn2 жыл бұрын
As I understand it, fetch and XHR require `useCredentials` to send the cookies along with the request which needs to be explicitly stated on the CORS header Access-Control-Allow-Credentials. Otherwise cookies are not being sent and the CSRF fails.
@subhashsarangi5 жыл бұрын
You are just awesome man. Why doesn't KZbin show such search results at the top. I couldn't find you when I needed but now I am happy. Thanks bro..
@mitchelline5 жыл бұрын
Incredibly amazing video as always. Very great explanation, and I love your color choices and how you draw/write everything
@itsfarseen3 жыл бұрын
Love the style of explanation!
@kid_kulafu_17274 жыл бұрын
Bruh you need to create more content like this. Also you give example are to fast but over all your the best. 11/10.
@aminvogue4 жыл бұрын
Wunderbar...................U r one awsme teacher. Hats off to the effort you put in, for us mere novices.
@darklord555X2 жыл бұрын
the best channel, thanks brother for the knowledge
@ekaterinazakharenkova5826 Жыл бұрын
Best explanation I've ever heard!
@casual-corner-k8s5 жыл бұрын
This is very well explained, appreciated
@ph0sgene9679 ай бұрын
As someone who pioneered csrf in 2007 this is a great video
@joshuz1012 жыл бұрын
I often find it hard to focus on educational videos like this, but somehow your videos have all of my attention. Not sure what voodoo you're using but it's working!
@berakoc85562 жыл бұрын
You put lots of effort into your videos. Transitions are amazing. Wonderful production.
@farzadsole37843 жыл бұрын
Amazing content as always, big fan of your videos and tutorials, thank you so much ;D
@venkaraj2 жыл бұрын
Crystal clear explanation. Thanks a ton
@VietnamSteven5 ай бұрын
incredibly informative!
@aayushkubitkar48275 жыл бұрын
Came from Stök's channel. Absolutely loving it now! Subscribed and belled👏
@samuelk30765 ай бұрын
Very nice video, I love the explanation!
@fairchild9able3 жыл бұрын
Thanks for making this. Really nice!
@king998100 Жыл бұрын
probably the best explanation out there
@paulcalinovici88084 жыл бұрын
Before sending the delete request, isn't the browser sending a preflight OPTIONS request to the server which will return an error and the delete request won't happen anymore ?
@aakashthakur14153 жыл бұрын
I was thinking the same. Ideally CORS would have stopped this.
@aakash18in3 жыл бұрын
yes. In case of Ajax request , SOP will stop the request as the preflight will return error
@ororabrian71062 жыл бұрын
yeah. Just as a note, It seems that you can actually send a simple request to the server and the request will go through but you won't be able to read the response due to cors. namely if you don't have any headers on your request but then again that means you won't have any cookies and won't be carrying any state so pretty useless all in all.
@SunPodder2 жыл бұрын
As cors is just client sided, for a hacker this isn't difficult to bypass it
@spicybaguette7706 Жыл бұрын
@Orora Brian You can still do CSRF for non-authenticated requests, such as an anonymous message on a blog post or something, which is not entirely harmless
@stanpeng59313 жыл бұрын
Such a good video. I love the voice as well: cute and reliable
@staynjohnson42214 жыл бұрын
12:47 I dont understand why the json data + the content type header are first passed through a redirect(?) then to the vulnerable site?
@peterfarhat57674 жыл бұрын
Because simply flash will forward the request as string and then the site will convert it into header and “ key = value “ type so that it would be readable by the API of vuln.com!
@youarethecssformyhtml20 күн бұрын
Because the redirect can send cookies
@mosesegboh4 жыл бұрын
you concept and style of teaching is lovely!..keep it up
@nickdaone2 жыл бұрын
You need more likes. Your work is needed for every developer.
@matthewdraevich42144 ай бұрын
Great explained, thanks🔥
@zb27473 жыл бұрын
Great video, to the point and thoroughly explained the main concept.
@eshaan7_5 жыл бұрын
Thankyou for your videos. I would very much like to see a video on Insecure CORS and ways to escalate it :)
@ETbutforreal4 жыл бұрын
You explained this better than the skillsoft guys, that's for sure
@playboicartihey2 жыл бұрын
this is the best. freaking cool
@dougthefiddler3 жыл бұрын
Very clear explanation. Thanks!
@Gigolas885 жыл бұрын
wtf you deserve way more likes on this
@zTech3005 жыл бұрын
Great explanation bro, Keep up the good work. Wish ya da best.
@princepatwari3654 жыл бұрын
Great videos.........Thank you for posting them
@mahirmolai38343 жыл бұрын
Was watching live overflows vid a month ago, and look at me now, watching each video of yours everyday
@gamingwolf3385 Жыл бұрын
Amazing 😅 , i learn a lot of new concepts in one video , but i think i will re-watch it later , some of them seem confusing !
@Meleeman0114 жыл бұрын
this made me rethink my web security holy shit.
@MrVinaybhandari5 жыл бұрын
Videos are so interesting and clear with basic to advance. Keep going 😀
@raulherbert Жыл бұрын
Awesome explanation! Tks!
@yeshwanth.alampalli4 жыл бұрын
Basic question 😐=> If the same origin policy blocks the request from different domain, how can cat.com make request on behalf of vulnerable.com? 🤔
@PwnFunction4 жыл бұрын
Thats an example of Cross Origin Request, you can make requests to any website, but the response can't be read due to SOP unless the site let's you explicitly.
@shivamyadav12832 жыл бұрын
Is it true that SOP allows to send request cross domain but not read the responses? Why would even a request be even triggered by the browser if there is a SOP?
@kesogonzaga26714 жыл бұрын
4:00 how did cat.com get my session id?
@esquilax55634 жыл бұрын
The attacker who created cat.com never needs to know your session ID. The javascript in cat.com makes a POST request to vulnerable.com, the browser sees that it's contacting vulnerable.com, and it automatically includes the cookies (including session id)
@dalewatson39784 жыл бұрын
@@esquilax5563 sorry, so after i make request from vulnerable.com, and then i browsing another domain, and somehow open cat.com, the cat.com still can access my previous vulnerable.com cookies ? is it across the tab browser? what if i re-open the browser, will the request from cat.com still including the vulnerable.com cookies ? then cat.com really needs to know our history browser, so cat.com knows what was the useful cookies before ? does opening from private/incognito browser prevent csrf ?
@esquilax55634 жыл бұрын
@@dalewatson3978 It goes like this: browser: hey vulnerable.com server, can you send me your content? vulnerable.com: sure, here it is, and please remember "session=123" ...later... browser: hey cat.com, can you send me your content? cat.com: sure, here it is (snigger) browser: hmm, the content says I should also ask vulnerable.com to do x, y, and z browser: hey vulnerable.com, can you do x, y, and z? And BTW you told me earlier "session=123" vulnerable.com: session ID checks out, OK, I'll go ahead and do x, y, and z. The browser knows *all* its cookies for *all* sites. When it makes a request to a site, it will only send the cookies for that site. Incognito mode can help in some cases. When you start off in incognito mode, you have no cookies, and they'll all be cleared when you close the incognito window. But you can still set cookies in the meantime. So if you're in private mode and you log into vulnerable.com, the same thing can happen. If you're only logged into vulnerable.com in your regular, non-private browser, then you can go to cat.com in private mode and this attack won't work. About closing and re-opening the browser, it all depends on when the relevant cookie is cleared. It can be set to expire when you close the browser, or to expire after a certain amount of time, or it can stay around forever. The server specifies how long the cookie should stay around when it sets the cookie. That's why many sites can decide to let you stay logged in even after the browser is closed and re-opened.
@trishulbhuyar1814 жыл бұрын
Won’t CORS will restrict the call, when delete request initiated from cat.com to vulnerable.com ?
@susovangarai67314 жыл бұрын
your channel is a gold mine !!
@kds-20494 жыл бұрын
Explained well, props to you
@chaosknight3175 Жыл бұрын
Ok, good stuff. Subscribed.
@xa3da43 жыл бұрын
I Love PwnFunction Video's ILLUSTRATION🔥🙌⚡😍
@zxuiji3 жыл бұрын
3:49, uh but there's an origin parameter there, that means the server should be the one responsible for checking the origin has authorisation prior to carrying out any command it has sent
@ororabrian71062 жыл бұрын
I'm not sure about this I think that the server can decide to check this at the own descretion however this video is in the context of "what the browser does". I guess this video is about the security from the browser point of view.
@HarujiCat9 ай бұрын
You saved me. Thank you so much
@chimithras47462 жыл бұрын
Great Explanation ✅
@a.yashwanth4 жыл бұрын
I get this as response headers but I still get the chrome cross origin error. access-control-allow-headers: Content-Type access-control-allow-origin: localhost content-length: 0 content-type: text/html; charset=UTF-8 date: Mon, 16 Mar 2020 15:52:28 GMT server: Apache status: 200
@nolongeravailable1112 жыл бұрын
Nice video thanks for the amazing content
@MohaDou4 жыл бұрын
That's crazy explanation, Thanks a lot
@eLab433 жыл бұрын
Question: Why not just use postman and set the headers? Thanks
@ororabrian71062 жыл бұрын
You can.... If you want to hack only yourself.
@yuvalozeri31425 жыл бұрын
Amazing video, so clear! thank you
@jenniferwood49165 жыл бұрын
Love your videos! Please make more :3
@soufianeabbad8875 жыл бұрын
Awesome video. I hope that you explain some bugs like vulnerable flash files, JSONP and email spoofing
@behnkenj4 жыл бұрын
Well done sir, keep them coming! :)
@artemislwof92645 жыл бұрын
Fucking A . i had to do couple of days of deep research to understand some of those concepts in order to have some idea about where the exploits would be . you just explained it PERFECTLY in simple terms and visuals and confirmed some of my thoughts :D . u did share some valuable and accurate information despite supid youtube terms n policies. Thank you sir for the clues XD
@Odys423 жыл бұрын
Awesome ! Thank you !
@kivuosark20883 жыл бұрын
Yes! We cannot access external website within but what about window.postMessage() ?
@khoroshoigra8388 Жыл бұрын
most of the cases of being bypassed by other domains for a kind of request is by using */wildcard in CORS
@timon58512 жыл бұрын
4:08 why is cat-website allowed to send a cookie which is not his own? Where else does it now the sessionID to give a valid answer to the server? Sorry im kinda lost
@ororabrian71062 жыл бұрын
Sometimes it's warranted. sometimes one site depends on you being authorized on another website.
@mitchelline5 жыл бұрын
I found a CSRF on a large website with > 500k members, so it's more common than you think! It allowed me to send their coins to my account, and those coins were bought with real money, so it was a decently critical flaw
@karansh4914 жыл бұрын
Hey @PwnFuncrion why you're not uploading any videos now 😐
@mk98344 жыл бұрын
love your videos this is a god's work
@harshitjoshi30822 жыл бұрын
This is awesome !
@TheShayMo15 жыл бұрын
Hi PwnFunction , just found your channel , your animations on this video are fantastic , can you share what app you use ? Thanks & Great Job
@PwnFunction4 жыл бұрын
Adobe animate to draw, Audacity/Auditions to edit sound and Premiere pro for editing vid.
@kurogaming32054 жыл бұрын
I love your videos there amazing , professional ! but I guess slow down a little bit for new people, other than that your the best I have ever being taught
@vitorgouveia53782 жыл бұрын
but doesn't CORS prevent this?
@brod5153 жыл бұрын
let me get this right, if cat.com sends a request to vulnerable.com the browser automatically sends cookies of vulnerable.com with the request but cat.com can't read the response right. they crucial part is that cat.com can't read the response.
@vanjavk2 жыл бұрын
I feel like you're correct
@indientis60032 жыл бұрын
*Sees **11:42* *Cries with Respect*
@yashsodha14065 жыл бұрын
Does the Flash CSRF JSON trick still work?
@salahbaddou85835 жыл бұрын
yes it does, it requires the victim to allow flash though, but it works neverthless
@mohitpal15055 ай бұрын
But isn't the cookie domain-specific? When we click the cat site(evil) would it still send the cookie(containing sensitive data like sessionId), though it is not associated to hat cat's domain?
@rulzz25814 ай бұрын
You are right, cookies are domain-specific. If you have two different websites opened in your browser, they will not know the Cookies of each other. But the thing is that your BROWSER knows them. And it's your browser that automatically sends them with every request to the website. Otherwise, you were supposed to re-login into the website every time you wanted to make any action.
@LiEnby3 жыл бұрын
Wait thou the form will be sent with "Content-Type: application/x-www-form-urlencoded" and NOT "Content-Type: application/json"!!
@ororabrian71062 жыл бұрын
This is the problem I see with the JSON workaround as well. how do you get around this 🤷♂️. I'm not even sure that json data is sent in the same way form data is sent.
@LiEnby2 жыл бұрын
@@ororabrian7106 server may not care about content type..
@ororabrian71062 жыл бұрын
@@LiEnby yeah that's true. alot of this is also relying on a rely lax server 😂 ... from what I've read I believe a resonable server would also look at origin and referrer
@jimmyliu29823 жыл бұрын
But how is it possible to post json via html form, where entry is urlencoded?
@atharvakadlag19373 жыл бұрын
You're videos are awesome
@oussamasethoum16657 ай бұрын
Can cors prevent this request when credentials are included and the cookie is http only?
@kaos09211 ай бұрын
Cookies from other tabs / domains aren't sent to the server.
@funtutes51224 жыл бұрын
is there a video done by this guy on double submit cookies pattern?