Cross-Site Request Forgery (CSRF) Explained
Рет қаралды 27,358
Күн бұрын
@santiagotaboada4584 10 ай бұрын
Wow... This is amazing!!! I have been struggling trying to understand CSRF attacks. This video has helped a lot. Thank you Ben for these amazing videos.
@papafhill9126 10 ай бұрын
The question of "so what" (1:52), or as I like to ask about nearly everything in life, "who cares?" If people care about the vulnerability then it gains severity. The more "destructive" you can pitch the vulnerability as the higher the severity and two low severity vulns could easily become a critical vuln if combo'd so don't just report low bugs, you are only screwing yourself over.
@MFoster392 10 ай бұрын
Thanks as usual Ben, You're still da man bro :) I've been having some medical issues lately so I'm in the 10 possibly even15 week program but it's ok i could never work for you at this point in time anyways. I'm sure you wouldn't remember but last year about this time I commented on a video saying i was a 51yr old paraplegic who didn't know Linux, the terminal, heck i never even used a computer the only tech i new was my cell and how to email someone on it 🤷♂🤦♂. I seen one of your videos and thought i can learn bug bounty and make money from home because I'm stuck in a nursing home so i am going to teach myself so i can pay for help and get my own place. I'm proud to say I'm on my way since I'm teaching myself everything i gave 1.5 to 2 years where i can learn enough to make steady money to go with my SS check not a million dollar hacker like you but steady money and I'm proud to say I'm on track chugging along slow but steady :)
@NahamSec 10 ай бұрын
Hey! Best of luck and I hope you feel better! ❤️🩹
@mayavik1034 10 ай бұрын
You are so inspiring, you should start a YT Channel, I bet it will go viral and will be another revenue stream. I will definitely subscribe.❤
@MarkFoudy 10 ай бұрын
5WP and thanks for the content as always! Hope to meet you at Defcon
@sQbhAn 10 ай бұрын
I started to watch all your 5w from xss ,and i have a question, where can i find my first vulnerability ,i know how does this vulnerability loo k like but i dont know where should i looking for them, mayby every web page i working with?
@vallerioalvaren 10 ай бұрын
hallo ben thanks for making this video, I want to ask you how to execute csrf on graphql?
@RealEyes24 3 ай бұрын
I cannot reproduce what you are doing on notifications / email, I cannot change anything
@vis2079 10 ай бұрын
Thanks for video, 👍 but what happened to Q&A video on CSRF ....? it is marked as private.... Will it be available sooner?
@gk_eth 10 ай бұрын
Please explain how to approach web apps with json content-type in the case of csrf?
@mach1ne722 10 ай бұрын
Once the content-type is application/json, browser will send the preflight OPTIONS request before forwarding the actual cross-site request. This mechanism might stop your actual request from being forwarded. If the applicaiton responds with Access-Control-Allow-Headers: Content-Type, then modified Content-Type will be allowed and the cross-site request will pass through. If the ACAH header is not allowing modified Content-Type, you can try to forcefully change it to one of the following: application/x-www-form-urlencoded, multipart/form-data or text/plain. If the application still accepts the request, you can abuse this by modifying the malicious form to include enctype=text/plain. There are some other ways to specify the Content-Type header, depends on what you use to generate cross-site request. If the application has sufficient protections against Content-Type header manipulation, you cannot abuse CSRF. Be also mindful that the ability to abuse the CSRF will also depend on if the application uses JWT token in the form of Authorization: bearer or if the session cookie is set as Lax, or Strict. This protections will also mitgate the CSRf risk.
@Fesssa 10 ай бұрын
Bro will you update you Bug Bounty Course on Udemy???
@bigbugbang-lr1sy 10 ай бұрын
from 5wp. tnx a lot 'soltan' nahamsec
@adhishrikothiyal.dreamz 9 ай бұрын
I could not understand the part where you framed an HTML element using tag. I tried opening it and was unable to execute the action that I intended to. My second question isa if I were to delete any user info I would not have the access to the other user's account usually. How would I find the id value in that case.
@sanjaiKumar-.- 9 ай бұрын
You need to have 2 accounts. Now, try testing by altering the IDs and so on
@adhishrikothiyal.dreamz 9 ай бұрын
@@sanjaiKumar-.- I did but wasn't still able to replicate it.
@hiamealhilwa6684 10 ай бұрын
I haven't found the first security vulnerabilities yet and I'm very disappointed😭
@programmerbully2556 4 ай бұрын
I don’t understand . You talk and explain the concept so fast that i can’t even comprehend what is going on
@DanMulvey 10 ай бұрын
5WP - thanks for the video, time to go see how good coca-cola is at csrf protections!
@GoliTech 10 ай бұрын
thanks a lot Naham.
@madatch9947 10 ай бұрын
What is this caido that you are using? Is it better than burpsuite?
@adhishrikothiyal.dreamz 9 ай бұрын
Ben is an advisor at Caido. Caido is security auditing tool. Not as good as burp but can replace burp in future.
@pyrexpimpin 10 ай бұрын
5wp and thank you for eveerything you do
@bugsecurity 10 ай бұрын
alert('5WP');
@shohaghasan5641 9 ай бұрын
Got a better overview from this.
@harsh9343 10 ай бұрын
what is 5wp?
@warnawarni5227 10 ай бұрын
is CSRF still alive now?
@gk_eth 10 ай бұрын
that's the question, lol
@mach1ne722 10 ай бұрын
Not a bug bounty hunter, but a security researcher and pentester here. Not really sure how it is in bug bounties, but this vulnerability might be reported quickly, so you will need to be really advanced in this topic to find the "edge" cases and bypasses in certain situations. Just last week found open-redirect, missing samesite flag on the cookie + insufficient content-type validation chain in one of the core banking last week, so I would say that it very much is alive.
@itsm3dud39 10 ай бұрын
i found 5 csrf last december and got 250euro for each. csrf is still alive you have to complete all the portswigger labs to find different types of csrf
@cyberX553 4 ай бұрын
cloud hacking tutorial pls
@leghdaf 10 ай бұрын
\\alert('5WP')//; Thanks Nahamsec ...
@deedsenterprises 10 ай бұрын
5wp for the win!
@tajsec 10 ай бұрын
Let’s goooo🎉
@Gamer-zo2dm 10 ай бұрын
Can't help to click 😂
@badcops9105 10 ай бұрын
alert(5wp)
@ucheugbomah2228 10 ай бұрын
not late today
@jondo-vh8tx 7 ай бұрын
good content but you talk to fast
@utkarshanand8369 10 ай бұрын
5WP!!!!!!!!!!!!!
@ramseyibe2844 10 ай бұрын
5WP 🎉
@chrisputt9205 10 ай бұрын
5WP !!!
@17hitchcockt 10 ай бұрын
5WP!
@victoriozuyev 10 ай бұрын
5WP! Thanks @NahamSec!
@BugHunter3009 10 ай бұрын
5WP
@rctech1237 10 ай бұрын
5wp❤❤❤
@nolongeravailable111 10 ай бұрын
W
@rafaelgonzalez9793 10 ай бұрын
First
@roshanpokharel999 10 ай бұрын
5wp
@challengeaccepted6382 10 ай бұрын
5WP
@ucheugbomah2228 10 ай бұрын
5wp
@mohammedaashique2893 10 ай бұрын
5WP Thank you soo much @NahamSec
@TheEinzzCookie 10 ай бұрын
First
@constantRic 10 ай бұрын
5WP!!
@diy_tech_genius 10 ай бұрын
5wp
@iljabrudel6224 10 ай бұрын
5WP
@user-ew5vj1sl1u 10 ай бұрын
5wp
@tthtlc Ай бұрын
5wp
@namanyadav5668 10 ай бұрын
5WP
@lovelivinglife904 10 ай бұрын
5wp
@ishowmonkey5918 10 ай бұрын
first
@Jarling-so4oi 3 ай бұрын
nobody cares
@ishowmonkey5918 3 ай бұрын
@@Jarling-so4oi this was 6 months ago lol ur a child
@BackF0x 10 ай бұрын
5wp
@GhostNongs 10 ай бұрын
5wp
@markfuentes3666 10 ай бұрын
5wp
@rafaelgonzalez9793 10 ай бұрын
5wp
@646U 10 ай бұрын
5wp
@bild96 10 ай бұрын
5wp