Cross-Site Request Forgery (CSRF) Explained
Рет қаралды 21,949
Күн бұрын
@programmerbully2556 Ай бұрын
I don’t understand . You talk and explain the concept so fast that i can’t even comprehend what is going on
@santiagotaboada4584 6 ай бұрын
Wow... This is amazing!!! I have been struggling trying to understand CSRF attacks. This video has helped a lot. Thank you Ben for these amazing videos.
@papafhill9126 6 ай бұрын
The question of "so what" (1:52), or as I like to ask about nearly everything in life, "who cares?" If people care about the vulnerability then it gains severity. The more "destructive" you can pitch the vulnerability as the higher the severity and two low severity vulns could easily become a critical vuln if combo'd so don't just report low bugs, you are only screwing yourself over.
@bugsecurity 6 ай бұрын
alert('5WP');
@MFoster392 6 ай бұрын
Thanks as usual Ben, You're still da man bro :) I've been having some medical issues lately so I'm in the 10 possibly even15 week program but it's ok i could never work for you at this point in time anyways. I'm sure you wouldn't remember but last year about this time I commented on a video saying i was a 51yr old paraplegic who didn't know Linux, the terminal, heck i never even used a computer the only tech i new was my cell and how to email someone on it 🤷♂🤦♂. I seen one of your videos and thought i can learn bug bounty and make money from home because I'm stuck in a nursing home so i am going to teach myself so i can pay for help and get my own place. I'm proud to say I'm on my way since I'm teaching myself everything i gave 1.5 to 2 years where i can learn enough to make steady money to go with my SS check not a million dollar hacker like you but steady money and I'm proud to say I'm on track chugging along slow but steady :)
@NahamSec 6 ай бұрын
Hey! Best of luck and I hope you feel better! ❤️🩹
@mayavik1034 6 ай бұрын
You are so inspiring, you should start a YT Channel, I bet it will go viral and will be another revenue stream. I will definitely subscribe.❤
@RealEyes24 18 сағат бұрын
I cannot reproduce what you are doing on notifications / email, I cannot change anything
@Cookie_Hub 6 ай бұрын
First
@sQbhAn 6 ай бұрын
I started to watch all your 5w from xss ,and i have a question, where can i find my first vulnerability ,i know how does this vulnerability loo k like but i dont know where should i looking for them, mayby every web page i working with?
@vallerioalvaren 6 ай бұрын
hallo ben thanks for making this video, I want to ask you how to execute csrf on graphql?
@cyberX553 20 күн бұрын
cloud hacking tutorial pls
@jondo-vh8tx 4 ай бұрын
good content but you talk to fast
@badcops9105 6 ай бұрын
alert(5wp)
@GoliTech 6 ай бұрын
thanks a lot Naham.
@gk_eth 6 ай бұрын
Please explain how to approach web apps with json content-type in the case of csrf?
@mach1ne722 6 ай бұрын
Once the content-type is application/json, browser will send the preflight OPTIONS request before forwarding the actual cross-site request. This mechanism might stop your actual request from being forwarded. If the applicaiton responds with Access-Control-Allow-Headers: Content-Type, then modified Content-Type will be allowed and the cross-site request will pass through. If the ACAH header is not allowing modified Content-Type, you can try to forcefully change it to one of the following: application/x-www-form-urlencoded, multipart/form-data or text/plain. If the application still accepts the request, you can abuse this by modifying the malicious form to include enctype=text/plain. There are some other ways to specify the Content-Type header, depends on what you use to generate cross-site request. If the application has sufficient protections against Content-Type header manipulation, you cannot abuse CSRF. Be also mindful that the ability to abuse the CSRF will also depend on if the application uses JWT token in the form of Authorization: bearer or if the session cookie is set as Lax, or Strict. This protections will also mitgate the CSRf risk.
@vis2079 6 ай бұрын
Thanks for video, 👍 but what happened to Q&A video on CSRF ....? it is marked as private.... Will it be available sooner?
@hiamealhilwa6684 6 ай бұрын
I haven't found the first security vulnerabilities yet and I'm very disappointed😭
@warnawarni5227 6 ай бұрын
is CSRF still alive now?
@gk_eth 6 ай бұрын
that's the question, lol
@mach1ne722 6 ай бұрын
Not a bug bounty hunter, but a security researcher and pentester here. Not really sure how it is in bug bounties, but this vulnerability might be reported quickly, so you will need to be really advanced in this topic to find the "edge" cases and bypasses in certain situations. Just last week found open-redirect, missing samesite flag on the cookie + insufficient content-type validation chain in one of the core banking last week, so I would say that it very much is alive.
@itsm3dud39 6 ай бұрын
i found 5 csrf last december and got 250euro for each. csrf is still alive you have to complete all the portswigger labs to find different types of csrf
@DanMulvey 6 ай бұрын
5WP - thanks for the video, time to go see how good coca-cola is at csrf protections!
@bloatless 6 ай бұрын
\\alert('5WP')//; Thanks Nahamsec ...
@Fesssa 6 ай бұрын
Bro will you update you Bug Bounty Course on Udemy???
@diy_tech_genius 6 ай бұрын
5wp
@roshanpokharel999 6 ай бұрын
5wp
@BugHunter3009 6 ай бұрын
5WP
@namanyadav5668 6 ай бұрын
5WP
@bild96 6 ай бұрын
5wp
@646U 6 ай бұрын
5wp
@rafaelgonzalez9793 6 ай бұрын
5wp
@pyrexpimpin 6 ай бұрын
5wp and thank you for eveerything you do
@bigbugbang-lr1sy 6 ай бұрын
from 5wp. tnx a lot 'soltan' nahamsec
@MarkFoudy 6 ай бұрын
5WP and thanks for the content as always! Hope to meet you at Defcon
@shohaghasan5641 6 ай бұрын
Got a better overview from this.
@Gamer-zo2dm 6 ай бұрын
Can't help to click 😂
@adhishrikothiyal.dreamz 6 ай бұрын
I could not understand the part where you framed an HTML element using tag. I tried opening it and was unable to execute the action that I intended to. My second question isa if I were to delete any user info I would not have the access to the other user's account usually. How would I find the id value in that case.
@sanjaiKumar-.- 5 ай бұрын
You need to have 2 accounts. Now, try testing by altering the IDs and so on
@adhishrikothiyal.dreamz 5 ай бұрын
@@sanjaiKumar-.- I did but wasn't still able to replicate it.
@madatch9947 6 ай бұрын
What is this caido that you are using? Is it better than burpsuite?
@adhishrikothiyal.dreamz 6 ай бұрын
Ben is an advisor at Caido. Caido is security auditing tool. Not as good as burp but can replace burp in future.
@ucheugbomah2228 6 ай бұрын
not late today
@utkarshanand8369 6 ай бұрын
5WP!!!!!!!!!!!!!
@deedsenterprises 6 ай бұрын
5wp for the win!
@ramseyibe2844 6 ай бұрын
5WP 🎉
@chrisputt9205 6 ай бұрын
5WP !!!
@cobra-sks 6 ай бұрын
5WP 🎉
@rafaelgonzalez9793 6 ай бұрын
First
@harsh9343 6 ай бұрын
what is 5wp?
@constantRic 6 ай бұрын
5WP!!
@17hitchcockt 6 ай бұрын
5WP!
@rctech1237 6 ай бұрын
5wp❤❤❤
@challengeaccepted6382 6 ай бұрын
5WP
@markfuentes3666 6 ай бұрын
5wp
@GhostNongs 6 ай бұрын
5wp
@BackF0x 6 ай бұрын
5wp
@iljabrudel6224 6 ай бұрын
5WP
@user-ew5vj1sl1u 6 ай бұрын
5wp
@lovelivinglife904 6 ай бұрын
5wp
@ucheugbomah2228 6 ай бұрын
5wp
@tajsec498 6 ай бұрын
Let’s goooo🎉
@nolongeravailable111 6 ай бұрын
W
@ishowmonkey5918 6 ай бұрын
first
@Jarling-so4oi 14 күн бұрын
nobody cares
@ishowmonkey5918 14 күн бұрын
@@Jarling-so4oi this was 6 months ago lol ur a child
@mohammedaashique2893 6 ай бұрын
5WP Thank you soo much @NahamSec
@victoriozuyev 6 ай бұрын
5WP! Thanks @NahamSec!
CybreezZ
Рет қаралды 9 М.
Bug Bounty Reports Explained
Рет қаралды 11 М.