Тёмный

Dangers of CSRF Attacks and How to Prevent Them in Spring Boot App 

Sergey Tech
Подписаться 1,8 тыс.
Просмотров 2,8 тыс.
50% 1
ВидеоПоделитьсяСкачатьДобавить в

In this RU-vid video, we're going to put a "hacker" hoodie and demonstrates a CSRF attack on a fake banking website to show how it works. Disclaimer - hacking or penetration testing without prior authorization is illegal.
We're going to look how to protect against CSRF attacks using two methods from Spring Security: the SameSite Attribute and the Synchronizer Token Pattern. The SameSite Attribute can prevent the browser from sending cookies for cross-site requests, while the CSRF token is a random string that the server generates and returns to the client to ensure that the request is coming from a legitimate source.
Github Repo - github.com/skryvets/csrf-vuln...
Docker command - docker run -p 8080:8080 -t skryvets/csrf-vulnerable-spring-application
Spring official documentation regarding CSRF - docs.spring.io/spring-securit...
👋🏻Connect with me:
Website: skryvets.com
Twitter: / skryvets
Github: github.com/skryvets
LinkedIn: / skryvets
SUBSCRIBE TO MY CHANNEL: www.youtube.com/@sergey_tech?... ❤️
Chapters
0:00 Introduction
0:28 Disclaimer
0:42 Project Intro
1:17 Project Overview
2:44 Creating the Exploit
3:27 Implementing the Solution
7:32 Solution Deep Dive: What Happened
8:31 Preventing CSRF Attacks: Overview
8:59 SameSite Attribute: Explained
12:53 CSRF Token: Explained
15:34 Types of Malicious Browsers and How Scammers Trick Users
16:39 Conclusion

Опубликовано:

 

16 июн 2024

Поделиться:

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист
Посмотреть позже
Комментарии : 20   
@lahirusandaruwan63
@lahirusandaruwan63 10 месяцев назад
It was great thank you, please keep posting ❤
@Dev_Vey
@Dev_Vey 6 месяцев назад
Thanks for the video my friend. I was using csrf token, but knowing that there is another way (same-site) is great to know. Keep on going :)
@mriduljayan4466
@mriduljayan4466 Год назад
It was great thank you, please keep posting
@sergey_tech
@sergey_tech Год назад
Thank you!
@ramakrishnapenti2801
@ramakrishnapenti2801 Год назад
Very super way of telling I need these type teaching
@sergey_tech
@sergey_tech Год назад
Thank you!
@kadrisofiane1911
@kadrisofiane1911 2 месяца назад
Amazing video! ⭐ Thank you for the explanation. Keep posting videos you are doing a great job! 🏆 I would like to see more about Spring security and especially the hacker/dev personas (those were quite awesome and got my full attention).
@techforserious60
@techforserious60 6 месяцев назад
Thanks many times over, actually one thing from here that helped me a lot was enabling spring security's logging in the intellij console, i had no idea there was such logging, i just assumed everything in there was all there was, though in retrospect it seems obvious. great to now be able to see everything, really nice vid bruh liked n subbed
@JoshWoodcock
@JoshWoodcock Год назад
Great hoodie!
@sergey_tech
@sergey_tech Год назад
Haha, thanks 😂
@ferlezcano
@ferlezcano Год назад
Hard topic 🤯
@shankaraec
@shankaraec Год назад
excellent
@sergey_tech
@sergey_tech Год назад
Thank you, Shankar 😊
@user-jq6mt1wc7t
@user-jq6mt1wc7t 8 месяцев назад
like for the good explanation!!!
@souvik.the.developer
@souvik.the.developer Год назад
how to protect from it...please make a video on it.....please sir....
@mbesida
@mbesida Год назад
Is attack possible in case of SPA? If post request is made by JS code on a web page?
@sergey_tech
@sergey_tech Год назад
The direct answer to your question is that it's 'most likely not possible'. But it depends on the authentication mechanism you're using. When most SPAs use JWT tokens, they need to be manually included in the header (typically as "Authorization: Bearer xxxx"). This method makes a CSRF attack less likely because it doesn't rely on the browser automatically sending a cookie header with a session id. However, there are two important considerations: - Ensure that the JWT token isn't stored in a cookie. - Ensure the app doesn't fall back to cookie-based authentication. These are, of course, based on my assumptions. If your app is using a session id stored in a cookie, as shown in my video, then yes, you'll need to protect against CSRF attacks.
@roronoa_d_law1075
@roronoa_d_law1075 Год назад
11:14 how can a post request be a top-level request ? I thought top-level requests are the one that are made from the search bar but it's not the case for post request, is it ?
@sergey_tech
@sergey_tech Год назад
Hey, Roronoa_D_Law! Great point! When I was referring to 'top navigation POST requests,' I was talking about POST requests that lead to a new page, such as what happens when you submit a form. This kind of POST request can indeed be considered a top-level navigation. You're correct that top-level navigation usually refers to changing the entire page, and this can occur in different ways, such as typing a URL into the address bar or clicking a link. However, it can also happen through a form submission, which typically involves a POST request. So while not all POST requests result in top-level navigation, those that do lead to a new page fall under this category. E.g. in our example, Spring app has a login form on the page "localhost:8080/login". When entering credentials it did redirect to "localhost:8080". This would be considered a top-level navigation POST request.
@roronoa_d_law1075
@roronoa_d_law1075 Год назад
@@sergey_tech oh I see, thanks for the clarification :)
Далее
Cross-Site Resource Forgery (CSRF) - Spring Security
49:57
Cross-Site Resource Forgery (CSRF) - Spring Security
Просмотров 3,3 тыс.
Spring Security From Beginner to Pro: A Journey Through Spring Security Architecture
10:40
Spring Security From Beginner to Pro: A Journey Through Spring Security Architecture
Просмотров 22 тыс.
♀ 🔁 ♂ = ...❓ #OC #늦잠 #vtuber
00:12
♀ 🔁 ♂ = ...❓ #OC #늦잠 #vtuber
Просмотров 1,5 млн
Нюша на премии МУЗ-ТВ 2024 #нюша
00:11
Нюша на премии МУЗ-ТВ 2024 #нюша
Просмотров 160 тыс.
Daddy Shark vs Daddy Pedro!! Who won?? 🤔🤯 @Mamiko #beatbox #challenge #fyp
00:21
Daddy Shark vs Daddy Pedro!! Who won?? 🤔🤯 @Mamiko #beatbox #challenge #fyp
Просмотров 8 млн
⚠️ Россия без доллара и евро / Что будет с курсом рубля? / Дмитрий Потапенко* и Дмитрий Дёмушкин
32:20
⚠️ Россия без доллара и евро / Что будет с курсом рубля? / Дмитрий Потапенко* и Дмитрий Дёмушкин
Просмотров 801 тыс.
Cross-Site Request Forgery (CSRF) Explained
14:11
Cross-Site Request Forgery (CSRF) Explained
Просмотров 430 тыс.
Cross Site Request Forgery - Computerphile
9:20
Cross Site Request Forgery - Computerphile
Просмотров 756 тыс.
Spring Security for Beginners| How can you implement Spring security | using spring boot
1:06:29
Spring Security for Beginners| How can you implement Spring security | using spring boot
Просмотров 1,1 тыс.
How to do logging in Spring Boot - Brain Bytes
13:46
How to do logging in Spring Boot - Brain Bytes
Просмотров 262 тыс.
Your App Is NOT Secure If You Don’t Use CSRF Tokens
9:57
Your App Is NOT Secure If You Don’t Use CSRF Tokens
Просмотров 122 тыс.
CSRF Tutorial - A Guide to Better Understand and Defend Against Cross-Site Request Forgery (CSRF)
14:03
CSRF Tutorial - A Guide to Better Understand and Defend Against Cross-Site Request Forgery (CSRF)
Просмотров 84 тыс.
Spring Security JWT: How to secure your Spring Boot REST APIs with JSON Web Tokens
43:06
Spring Security JWT: How to secure your Spring Boot REST APIs with JSON Web Tokens
Просмотров 115 тыс.
Spring Filters Series 5 - Order of Filters in Spring
16:26
Spring Filters Series 5 - Order of Filters in Spring
Просмотров 5 тыс.
Spring WebSecurityConfigurerAdapter Deprecated - refactor the easy way. Part 1.
13:02
Spring WebSecurityConfigurerAdapter Deprecated - refactor the easy way. Part 1.
Просмотров 912
Web Server Concepts and Examples
19:40
Web Server Concepts and Examples
Просмотров 228 тыс.
♀ 🔁 ♂ = ...❓ #OC #늦잠 #vtuber
00:12
♀ 🔁 ♂ = ...❓ #OC #늦잠 #vtuber
Просмотров 1,5 млн