Cross-Site Request Forgery (CSRF) | Complete Guide
Рет қаралды 88,184
Күн бұрынIn this video, we cover the theory behind Cross-Site Request Forgery (CSRF) vulnerabilities, how to find these types of vulnerabilities from both a white box and black box perspective, how to exploit them and how to prevent them.
▬ 🌟 Video Sponsor 🌟 ▬▬▬▬▬▬▬▬▬▬
Sign up to Intigriti: go.intigriti.com/ranakhalil (affiliate link)
▬ ✨ Support Me ✨ ▬▬▬▬▬▬▬▬▬▬
Buy my course: academy.ranakhalil.com/p/web-...
▬ 📖 Contents of this video 📖 ▬▬▬▬▬▬▬▬▬▬
00:00 - Introduction
00:29 - Intigriti sponsorship (go.intigriti.com/ranakhalil)
01:24 - Agenda
02:12 - What is a CSRF vulnerability?
19:14 - How to find CSRF vulnerabilities?
26:07 - How to exploit CSRF vulnerabilities?
32:50 - How to prevent CSRF vulnerabilities?
47:15 - Resources
47:57 - Thank You
▬ 🔗 Links 🔗 ▬▬▬▬▬▬▬▬▬▬
Video slides: github.com/rkhal101/Web-Secur...
Web Security Academy: portswigger.net/web-security/...
OWASP - CSRF: owasp.org/www-community/attac...
OWASP - CSRF Prevention Cheat Sheet: cheatsheetseries.owasp.org/ch...
Rana's Twitter account: / rana__khalil
Hacker Icon made by Freepik: www.freepik.com
@RanaKhalil101 2 жыл бұрын
Interested in supporting me and gaining early access to the Web Security Academy videos when they're recorded? Consider buying my course: academy.ranakhalil.com/p/web-security-academy-video-series! ✨ ✨
@MP-eq8fx 2 жыл бұрын
Cant praise enough. May be its my shortcoming, but many paid courses couldnt explain me concepts which your videos did in a very simple way. I am learning now, and if I ever get a bounty, first thing will be to support you.
@RanaKhalil101 2 жыл бұрын
@@MP-eq8fx No need to purchase my course. Glad you're liking the series!
@MP-eq8fx 2 жыл бұрын
@@RanaKhalil101 request you to do one video on how to use Burp Suite.
@macbook6507 2 жыл бұрын
Thanks for the lecture, teach us about CSS full course
@saneyalam7434 Жыл бұрын
Bought the course to support you. Hoping for more content soon
@robot67799 2 жыл бұрын
Your teaching style is the best. Really difficult to find teachers like you 😭. I'm having difficulties in XSS. Hope you will make videos on that too ❤️❤️
@devinosborne3396 Жыл бұрын
7:55 and this is the best explanation i've heard yet. Well done. Very clear
@saneyalam7434 Жыл бұрын
Great explanation. All my confusion related to CSRF are gone now... Thank you so much for creating such content.
@govind22703 2 жыл бұрын
For some reason, I really like listening u explain stuff. This reminds me of the science tv shows I used to watched as a kid :)
@swamimzaman7058 2 жыл бұрын
I like the way you explain the topics very minutely you explain it’s very easy to understand .Hoping you to upload all the labs of portswigger soon.
@gangsternerd8419 Жыл бұрын
Thanks for everything you do and you are highly appreciated, we could appreciate an updated version of this video or maybe just a part that include exploring json request type csrf tricks and tips, including some guideline that could help beginners, I could appreciate especially covering using flash to exploit csrf ❤
@rajanrawal6396 2 жыл бұрын
i don't even know how to put things into words the way how you explain, it's an amazing mam..we need such playlist more in the future..
@abidkhan9934 2 жыл бұрын
Hey rana Khalil good to see u.. please do other topics as soon as possible.. because u have an outstanding ability to train.
@rishabhsahni4312 2 жыл бұрын
Very well explained , covering each aspect in detail . Highly Appreciated!! Rana 👍
@salimzavedkarim230 2 жыл бұрын
This is gotta be the best video on the Internet. I'm a fan now.
@t41h45 2 жыл бұрын
Awesome tutorial ever. First complete SQLi and now CSRF 👍😎
@DaggerSecurity 2 жыл бұрын
السلام عليكم ما شاء الله هذا أحسن شرح في الموضوع جزاك الله خيرا
@Hefnawiat 2 жыл бұрын
Excellent quality, amazing content, and very clear way in illustration, I am amazed, greetings from Egypt
@thesecuritypoint 2 жыл бұрын
Ohh mam, after so long time. Waiting the new topic after being master in sql😁
@xa3da4 2 жыл бұрын
Awesome Explanation 🙌💥✌✌Thanks ma'am ! (Finally Landed on the BEST CSRF EXPLANATION TUTORIAL on KZbin) This channel Deserves Millions of Subscribers ...after somedays this playlists will also hit millions.🔥
@javhaasuhochir8126 Жыл бұрын
incredibly clear and easy to understand, thank you
@gameforme6007 2 жыл бұрын
just finished watching the full video .. really awesome content.. Thanks for that.
@sawtintkyaw887 2 жыл бұрын
Hello Rana Khalil I check your channel every week for new learning video. Thank you again.
@bird271828 Ай бұрын
Rana, I love your videos and your explanations. They are very informative. Thank you.
@w3w3w3 2 жыл бұрын
best video ever on the subject! you have a great way at explaining things lol. thanks
@yevhendidenko3833 Жыл бұрын
God, how wanderful and detailed you can explain! Thaaaanks!!
@amolgangurde2790 2 жыл бұрын
Awesome video and detail explanation. Thank you 👍
@petergentile8974 2 жыл бұрын
these series are amazing!, thank you.
@abdallahezat8604 11 ай бұрын
That is really awesome session,Thanks alot Rana and great effort.
@masicre9574 2 жыл бұрын
Thank you soo much for this video...I am a fresher to this field...This class was awesome...please upload more videos and labs on attacks...
@rmzhmd1057 Жыл бұрын
Oh, my God, how well you explain this
@bertrandfossung1216 2 жыл бұрын
Rana thank you very much. CSRF is my best bug class..
@user-wl1ry9ot5u 4 ай бұрын
this video helped me as helll I got all my doubts clear TNX
@alimahmouditavana3719 2 жыл бұрын
i'm so excited,please upload this video
@phinehasantwi9615 2 жыл бұрын
Thanks so much for given us the lessons of CSRF
@jub0bs 2 жыл бұрын
44:45 "Of course, you need to use [SameSite] in addition to CSRF tokens and not as a defence on its own." This cannot be repeated enough 👏👏👏
@gameforme6007 2 жыл бұрын
just complete watching the full video . Really awesome content. Thanks for the content apu(sister)
@zubairsafiii 2 жыл бұрын
love from pakistan Thanks for doing such amazing job. people get's to learn alot.
@Mohd-0_0-Taiyyab 2 жыл бұрын
This video needs 100 million views
@sto2779 Жыл бұрын
Excellent explanation on the topic. Thanks.
@fishslider Жыл бұрын
Best in depth video I found
@acronproject Жыл бұрын
Thank you Ms.Khalil is very useful for me.
@mohamed__sharif 16 күн бұрын
This is a great video. Thank you.
@electrowizard2658 2 жыл бұрын
im from india mam u are a very good teacher i wish i could have u as my cybersecurity mentor
@JacobSean-iy3tl 2 ай бұрын
you have such a calming voice
@paulojr1384 Жыл бұрын
Im in XSS by The PortSwigger learning Path. Ansious to cath The next chapter CSRF to whatch The Best Teacher. Tnx👍
@allmusic1281 2 жыл бұрын
rana I love your videos and the way you explain everything, is it possible that you can activate the subtitles in this video? my English is not very good, but with the subtitles I can understand your video perfectly, I hope it is possible and thank you very much for sharing your knowledge, it is of great value.
@HakanGalip 8 ай бұрын
Thanks a lot clear to understand
@akahumpty 2 жыл бұрын
Great video!
@fabiosalvi9035 10 ай бұрын
Thank you. Your video is really well done :-)
@OneMinExplains Жыл бұрын
Thanks Maam 🧑🏻💻😃
@Mersal-tq9lm 2 жыл бұрын
Really it was great 👍
@ghassenbarkache1676 Жыл бұрын
I’ve been following you for a while thank you for what you are doing; I watched laltely your interview with David Bombal on his youtube channel; I’m really impressed and I would like to thank you for your advices. I have some questions regarding intigriti if you can reply to them I would be grateful
@mdparvejhasan7040 2 жыл бұрын
awesome work 👍😀
@aqibmunshi6184 9 ай бұрын
Great video Rana. A quick question..why doesnt the browser attach the csrf token just as it attaches the cookie when the attacker sends a url of the site with email change parameter?. I mean how does the browser decide when to attach the csrf token and when not? I mean if an attacker sends me a link for email change and I have a cookie and token in the browser, why wont the browser not attach the csrf token at that point in time?
@forceboxed Жыл бұрын
For stateless applications, shouldn't a single CSRF token (passed as hidden input field) be enough? Why do we need double submit defence?
@baybars4392 2 жыл бұрын
Hi Rana Khalil, my English knowledge is not very good, but if I ask that your videos are very instructive, can you add Turkish and English subtitle options to your video?
@nikhilbk3409 2 жыл бұрын
Second question is Under Inadequate defense, instead of using the referrer header, if Origin header is used against Whitelist allowed origin, will it become another layer of security for CSRF attack OR is Origin header also can be spoofed?
@laxmantamong2364 Жыл бұрын
but how does the attacker know that the link has been clicked and email got changed?
@Hussain-we6tk Жыл бұрын
Hi, I have a doubt as why Post Method will not include cookies?
@waliulahmed9582 2 жыл бұрын
Great!!
@salahalgarhy3334 5 ай бұрын
Why is the subtitles closed on the video? Please look into this matter
@gnomoleproso47 Жыл бұрын
best video ever
@rahmanasadur8167 Жыл бұрын
Excellent
@sureshiva4605 Жыл бұрын
Hey Nicely done
@psychology2251 2 жыл бұрын
keeeeeeeep going want wait to finishing all labs with you ^_^
@saikiran-ez6ud 2 жыл бұрын
I great one I ever thanks 🥂
@nikhilbk3409 2 жыл бұрын
hello ma'am, I have doubt when the attacker send the email to victim with malicious link to click. In this case as you told in the Additional defense concept regarding SameSite attribute, since the victim clicked the link in the gmail, so if the SameSite=Strict then should CSRF attack will fail? because the request is initiated from the third part gmail. Is my undestanding is wrong?
@kiiwwwiiii 24 күн бұрын
Hi @RanaKhalil101, Your videos and explanation are really good. It made me understand the basics so much thanks a lot for this!! Reallly i mean it.
@m0niruzzaman 2 жыл бұрын
Excellent explain ♥️ Thank you!
@SecurityTalent 2 жыл бұрын
Thank you, sister......
@mohmedahmed6515 Жыл бұрын
thank you rana
@techtutorials7026 2 жыл бұрын
Nice job
@Phuongang-ti6ch 4 ай бұрын
Hello, I have a question What's the difference between buying a course and not buying it?
@user-dh2ev1ry7h 2 жыл бұрын
Thanks
@the_shafei 11 ай бұрын
are there ones for XSS please ?
@karanjoshi7438 2 жыл бұрын
please make videos on OAuth 2
@motivationvideo6017 2 жыл бұрын
great thanks very much
@nimamehdipor9109 9 ай бұрын
Hi, tanks for awsome video , Can you activate the subtitles of your video, it will really help a lot, thank you
@M0X0101 2 жыл бұрын
waiting from Egypt
@user-ni7rd7st8z Жыл бұрын
It seems that there are no subtitles and cannot be translated, which is a bit troublesome
@saminbinhumayun858 8 ай бұрын
Please make videos on xss thank you❤
@gfernandez2970 2 жыл бұрын
I was wondering if it'd possible to add English subtitles, my sister is deaf, and I'm not pretty good at understanding English (we're from Spain), but both of us can read it. We're aware how good your material is, and it'd me amazing for us if that'd be possible. Thanks a lot in advance!
@RanaKhalil101 2 жыл бұрын
I wish it was under my control! KZbin automatically generates captions for my videos when I upload them. Unfortunately, for some reason, it didn't upload subtitles for this video :(
@wispawelwis38 Жыл бұрын
38:30 So where is the parameter csrf token (the one placed in POST body) stored if not in cookies? In local storage? Cant the attacked steal the csrf cookie?
@paco7111 Жыл бұрын
It is part of form in as hidden field
@wispawelwis38 Жыл бұрын
@@paco7111 but where is its value stored?
@omarkhalid2966 2 жыл бұрын
Waiting . . .
@readypubggo5650 Жыл бұрын
Awesome,,,,, ....
@user-gs4bw7gl5d 2 жыл бұрын
i have a question Sister ....i master php and i can also do scripts in python...but as i see in youtube..most youtubers dont encourage php languages!!! i am confused really if i continue in php or i leave it and try to master python..what is your advice Sister and thanks a lot of
@abdallahelsaed1434 2 жыл бұрын
Why is there no subtital?
@gurvirsingh4190 2 жыл бұрын
Great ❤️❤️
@MehediHasan-pv4em 2 жыл бұрын
Please make more videos for us
@yazeedsalahat9227 Жыл бұрын
hi rana could you please enable translation Thanks
@user-gs4bw7gl5d 2 жыл бұрын
salam alaykom ..thanks a lot of Sister
@defyteryt2452 2 жыл бұрын
This live or vedio recorded
@kalidsherefuddin 11 ай бұрын
The greatest
@ex0day 3 ай бұрын
Your material is outstanding thanks a lot
@uionei9083 2 жыл бұрын
please turn on subtitles,
@noah4347 2 жыл бұрын
Iam waiting
@nobackupkiwi 2 жыл бұрын
I dont get how sql injections and csrf are related?
@RanaKhalil101 2 жыл бұрын
They're not.
@nobackupkiwi 2 жыл бұрын
@@RanaKhalil101 At min 16:50 you said to chain this two methods... I don't understand what you mean by that, could you please elaborate?
@RanaKhalil101 2 жыл бұрын
@@nobackupkiwi I was referring to chaining two vulnerabilities together assuming that the application is vulnerable to both. If an authenticated page is vulnerable to SQLi and the application does not use a csrf defense, then you can perform an SQLi attack within your CSRF attack in order to possibly gain code execution on the server. A more common example would be chaining a csrf attack with a command injection
@nobackupkiwi 2 жыл бұрын
@@RanaKhalil101 Clear as water. Thanks for the explanation. I hope there will be csrf+sqli cases in future labs.
@LearnTermux 2 жыл бұрын
why its showing 8 videos are hidden🥲
@muhammadhuzaifa8570 2 жыл бұрын
xss please mam
@basitkhan3853 2 жыл бұрын
From Pakistan 👍
@soumikdutta6171 3 ай бұрын
Audio is low.
@AliKhan-om5st 2 жыл бұрын
Please try to upload videos quickly
@tuananh5345 11 ай бұрын
beautiful voice, Indian girl
Buy Smart┃Магазин ноутбуков
Рет қаралды 1,2 МЛН
LED Screen Factory-EagerLED
Рет қаралды 1,8 МЛН