Your App Is NOT Secure If You Don’t Use CSRF Tokens

preview_player
Показать описание
Cross Site Request Forgery (CSRF) is one of the most common security vulnerabilities that most sites face, but many people don’t actually protect from it. In this video I will show you what CSRF is, how to protect against it, and what could happen if you don’t.

📚 Materials/References:

🌎 Find Me Here:

⏱️ Timestamps:

00:00 - Introduction
00:52 - Project Overview
02:42 - How CSRF Works
05:15 - How To Fix CSRF Vulnerabilities

#CSRF #WDS #WebSecurity
  1. Web Dev Simplified
  2. webdevsimplified
  3. csrf
  4. csrf token
  5. cross site request forgery
  6. cross site request forgery token
Рекомендации по теме
Your App Is 0:09:57

Your App Is NOT Secure If You Don’t Use CSRF Tokens

Our system detected 0:02:56

Our system detected that the device you are using is not secure (problem solved) / GCASH PROBLEM

Less secure app 0:01:01

Less secure app access not showing @gmail (SOLVED)

Which Encrypted Messaging 0:06:30

Which Encrypted Messaging App is Most Secure - Telegram, WhatsApp, Signal?

STOP using this 0:05:05

STOP using this Two-Factor Authentication (2FA) method!

Fix This Browser 0:01:12

Fix This Browser or App May Not be Secure Problem Solved!! 2021 🔥

The current version 0:01:54

The current version of the app is not secure Capcut | Fix Capcut security Notice Problem

The current version 0:02:53

The current version of the app is not secure capcut | Security notice capcut

Fixed | Install 0:01:42

Fixed | Install Unknown sources disabled | Allow from other sources disabled

[FIXED] This browser 0:06:21

[FIXED] This browser or app may not secure. Try using a different browser

This browser or 0:01:00

This browser or app may not secure. Try using a different browser. [SOLVED] in 1 minute!

How to Fix 0:00:47

How to Fix GCash App Device Is Not Secure - Android & Ios | Final Solution

GCASH PROBLEM DEVICE 0:01:31

GCASH PROBLEM DEVICE SECURITY

Solution for not 0:03:58

Solution for not working apps on mobile | Malayalam Explained By SPINACH MEDIA

How to Secure 0:27:44

How to Secure Your App With AppSweep

how to fix 0:02:08

how to fix security policy prevents installation of this application samsung

Zangi Secure Messenger 0:01:05

Zangi Secure Messenger - Easy-to-use, Private and Secure Messaging App

How to Fix 0:02:33

How to Fix GCash App Error: The device you are using has settings that are not secure.

Why Telegram messaging 0:04:00

Why Telegram messaging app isn’t as secure as you think | Tech It Out

How To Fix 0:02:41

How To Fix Not Secure Website On Chrome!

This Browser Or 0:01:49

This Browser Or App May Not Be Secure Google Chrome | How To Fix This Problem In Mobile

this apk file 0:01:26

this apk file might contain unsafe content make sure you trust the sender problem fix | meaning

#1 Most Important 0:03:36

#1 Most Important iPhone PRIVACY Setting (You Need To Know This!)

The current version 0:01:44

The current version of the app is not secure Capcut | Fix Capcut security Notice Problem

Комментарии
Автор

Hello Kyle, in my understanding CSRF exploits have nothing to do with CORS.
Instead they are related to the "SameSite" policy of your cookies.
In your example server you've set the SameSite policy of your cookie to "none", doing so you're vulnerable to csrf unless you implement a csrf token as you showed us.
BUT if you hadn't set samesite policy in your server, Chrome (and I think all the other major browsers) would have automatically set that cookie to have a "Lax" policy which would have prevent csrf attack even without a csrf token.

That's my understanding from what I was able to experiment in the past. Please correct me if I'm wrong.

I usually don't write comments, but I'll take the opportunity to thank you for all you contents. They have been incredibly valuable for me :)

cristianlaspina
Автор

CORS does not increase security. CORS, specifically, is an opt-out of security policy. The *default* policy of modern browsers is a same origin policy, and if you want to allow origins beyond that, you need to configure your server with a CORS whitelist policy that says "Oh, these places are allowed too." As others have stated, this vulnerability is entirely due to the cookie's SameSite setting, where "None" was the old default (meaning other sites could send requests to your origin and have it pass along any relevant cookies). The new default is Lax which only passes such cookies on a navigation action (meaning it doesn't return data to the malicious site), and you could even specify the SameSite policy as Strict to only ever be sent when you're already on the cookie's origin site.

Now, you can still do weird stuff and end up with a CSRF vulnerability. For instance, you can have an endpoint that allows a GET request but performs actual actions on behalf of the user, allowing malicious sites to attack this way even on a navigation action. But the more appropriate response is using the correct HTTP Verb bindings instead of going all-out with CSRF tokens, I think.

As to why your attack worked-- localhost is the same site as localhost, even if it's a different port. If you had 2 or 3 different computers and hosted the login site and the malicious site on two different computers, I don't think this would work.

andrewshirley
Автор

Great video! Auth is so important to get right and has so many pitfalls that you can fall into. Love to see content like this helping up everyone's security game!

stytch
Автор

SameSite policy on cookies and checking origin/referrer headers is a cleaner solution that csrf tokens in my opinion, unless you make an API with some ridiculously bad GET requests.

TylerTraverse
Автор

If you don't use subdomains or multiple sites on the same domain, same-site:strict cookies are enough. It's still good to use a CSRF Token if you're not sure where the client's going to deploy your web app - they might have a statistics site or some other tool on a subdomain with an XSS.

TanelM
Автор

The drawback of this approach is that you need to implicitly include the csrf token in every form/http post and validate it in backend, which can easily be forgotten. A better approach is to use refresh tokens and access tokens. Refresh tokens are stored in http only cookie which can only retrieve access token (and refresh themselfs), and access token are stored in browsers memory (like you do with the csrf token) and used to call the API's.

ilijanl
Автор

Thank you, I've been researching CSRF from a developers POV, this really cleared things up. Just one thing to point out that CORS is actually to impose relaxations on Same Origin Policy. We can do this using Access-Control headers. Subscribed for more such content.

karanb
Автор

When you have a SPA and do all requests with ajax, you can just send a custom header and check for this custom header to prevent CSRF.

Venistro
Автор

sounds the like the refresh-token method. although they both do not eliminate the risk of a malicious attack they just reduce it.
also whether you know that there is a risk of being "hacked" or not, you always assume that it's the case. so not a single app on the earth is secure 100%. it's only a matter of making harder.

anasouardini
Автор

Very clear, and fun. So in summary the main issue being other sites can use the targeted sites cookie. And by storing a token as a variable it's not accessible from other sites.
However in the current example if the user refreshes there page they would lose the token and need to re login. Or should that token be stored in the browser?

thomasmiller
Автор

It's a very nice explanation but I still have several doubts.
1. If the server checks the CSRF token, why does it need to check also the session if we are sure that the request is done by a logged-in user from their browser?
2. Isn't setting SameSite option in the cookie enough? If not, why?
3. If the CSRF token is stored in js, it's lost after refreshing the site, right? Can we prevent it?

Thanks!

jataman
Автор

I would no use a token on cookie. But maybe local storage since that is not sent automatically with the request. The request requires to add that param from local storage manually... That would solve this issue

unknotmiguel
Автор

i had a lot of question about csrf and you answered all with that one video

najwer
Автор

Great video. Shared it with my dev buddies in college. Thanks!

calebkrauter
Автор

Great, one way is that server can pass a JWT token which the logged in client can save and use it in the future requests. Hence using secure tokens such as JWT, prevents CSRF attacks.

ganeshchowdhary
Автор

This is the note taken from MDN. Maybe we don't need implement it on our own in modern browsers.

Note: Lax replaced None as the default value in order to ensure that users have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

geforcesong
Автор

Hello Kyle, thank you for this tutorial, I think another alternative to prevent the evil site to access is to set cookie sameSite to lake

jarrayamehdi
Автор

I think if you ask the user to send back his username or password with the request to delete a ressource, in this case you're protected against CSRF, as the evil site or page doesn't know them even if the cookie is auto sent by the browser, in other words the username or password will act as a CSRF token, because at the end a csrf token is just another secret that you're posting and keeping in a variable in memory and sending it back throught the clients request.

phdz
Автор

8:30 but if the token is sent only when the user logs in and you don't save it in local storage, he will lose it if he refreshes the page after being logged in

roronoa_d_law
Автор

Your content is dope. I've learned a lot of stuff from you. Thank you

cadillacjack