Cross-Site Request Forgery (CSRF) Explained

preview_player
Показать описание

Cross-site request forgery, aka CSRF, XSRF, one-click attacks or session riding attacks are attacks in where an attacker is able to convince your browser to send API requests as if they originated on your behalf. Cross-site request forgery (CSRF) is widespread, but in recent years it's popularity as an attack vector has dropped due to framework-level adoption of anti-CSRF tokens. In this video tutorial, learn how to make use of CSRF attacks - how to mitigate (protect against) CSRF attacks and also learn a few mitigations that look good in theory but don't actually protect against CSRF or have better CSRF protection alternatives.
  1. Andrew Hoffman
  2. cross-site request forgery (CSRF) explained
  3. andrew hoffman
  4. csrf
  5. xsrf
  6. one-click attack
Рекомендации по теме
Cross-Site Request Forgery 0:14:11

Cross-Site Request Forgery (CSRF) Explained

Cross-Site Request Forgery 0:06:31

Cross-Site Request Forgery (CSRF) Explained And Demonstrated By A Pro Hacker!

Cross Site Request 0:03:07

Cross Site Request Forgery (CSRF or XSRF)

Cross Site Request 0:09:20

Cross Site Request Forgery - Computerphile

What is CSRF? 0:02:26

What is CSRF?

Cross-Site Request Forgery 0:11:59

Cross-Site Request Forgery (CSRF) Explained

Cross-Site Request Forgery 0:48:11

Cross-Site Request Forgery (CSRF) | Complete Guide

Your App Is 0:09:57

Your App Is NOT Secure If You Don’t Use CSRF Tokens

Cross-site Request Forgery 0:02:53

Cross-site Request Forgery (CSRF) Attack Demo

Cross-site Request Forgery 0:02:48

Cross-site Request Forgery - CompTIA Security+ SY0-501 - 1.2

Cross-Site Request Forgery 0:08:40

Cross-Site Request Forgery (CSRF) Explained

CSRF Explained | 0:09:22

CSRF Explained | Understanding Cross Site Request Forgery | What is XSRF?

Cross-Site Request Forgery 0:04:14

Cross-Site Request Forgery Demonstrated!

Cross Site Request 0:12:23

Cross Site Request Forgery vs Server Side Request Forgery Explained

Request Forgeries - 0:08:14

Request Forgeries - SY0-601 CompTIA Security+ : 1.3

What Is a 0:08:54

What Is a CSRF Attack and How Do You Prevent It?

Learn Cross-Site Request 0:13:04

Learn Cross-Site Request Forgery (CSRF) From Scratch + FREE Training

Cross Site Request 0:03:56

Cross Site Request Forgery (CSRF) | Owasp Top 10 Explainer Video | Secure Code Warrior

Web App Penetration 0:22:51

Web App Penetration Testing - #13 - CSRF (Cross Site Request Forgery)

Penetration Testing - 0:07:33

Penetration Testing - Cross Site Request Forgery (CSRF)

XSRF vs XSS 0:00:47

XSRF vs XSS

Cross-site request forgery 0:17:20

Cross-site request forgery | How csrf Token Works

Cross-Site Request Forgery 0:01:37

Cross-Site Request Forgery (CSRF) explained

How to Prevent 0:04:53

How to Prevent CSRF - Explained In Less Than 5 Minutes

Комментарии
Автор

I just want to say that as a student who is studying for their Cybersecurity degree your videos are invaluable. You are able to break down complex concepts in a very digestible manner and allow me to get a real understanding of what's going on under the hood. Thank you for your work!

andrewkoontz
Автор

just want to point out something implied in the video,
CSRF on POST forms is as easy as creating a malicious page with a javascript that POST a crafted message to the vulnerable website where the victim is logged into.

CSRF is something which developers have the most responsibility to fix, mentioned in the video through a secret CSRF token.
Another method to mitigate (note the term, not fix) CSRF is through a fixed session invalidation duration. While this method is not user friendly, it does reduce the time window which the user will encounter the CSRF payload AND with a valid session token with the vulnerable website. Having a fixed expiration duration is recommended for other security mitigation measures as well.

Is there something users can do to prevent CSRF? 1. don't click on any unknown links. 2. log out of every services once you are done using them - if you do not maintain a session, chances are any decently coded website will reject the CSRF request (GET, POST, BLAH) before bothering to parse anything.

iamt_tl