Тёмный

Dangers of CSRF Attacks and How to Prevent Them in Spring Boot App 

Sergey Tech
Подписаться 1,8 тыс.
Просмотров 2,8 тыс.
50% 1
ВидеоПоделитьсяСкачатьДобавить в

In this RU-vid video, we're going to put a "hacker" hoodie and demonstrates a CSRF attack on a fake banking website to show how it works. Disclaimer - hacking or penetration testing without prior authorization is illegal.
We're going to look how to protect against CSRF attacks using two methods from Spring Security: the SameSite Attribute and the Synchronizer Token Pattern. The SameSite Attribute can prevent the browser from sending cookies for cross-site requests, while the CSRF token is a random string that the server generates and returns to the client to ensure that the request is coming from a legitimate source.
Github Repo - github.com/skryvets/csrf-vuln...
Docker command - docker run -p 8080:8080 -t skryvets/csrf-vulnerable-spring-application
Spring official documentation regarding CSRF - docs.spring.io/spring-securit...
👋🏻Connect with me:
Website: skryvets.com
Twitter: / skryvets
Github: github.com/skryvets
LinkedIn: / skryvets
SUBSCRIBE TO MY CHANNEL: www.youtube.com/@sergey_tech?... ❤️
Chapters
0:00 Introduction
0:28 Disclaimer
0:42 Project Intro
1:17 Project Overview
2:44 Creating the Exploit
3:27 Implementing the Solution
7:32 Solution Deep Dive: What Happened
8:31 Preventing CSRF Attacks: Overview
8:59 SameSite Attribute: Explained
12:53 CSRF Token: Explained
15:34 Types of Malicious Browsers and How Scammers Trick Users
16:39 Conclusion

Опубликовано:

 

25 июн 2024

Поделиться:

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист
Посмотреть позже
Комментарии : 20   
@kadrisofiane1911
@kadrisofiane1911 2 месяца назад
Amazing video! ⭐ Thank you for the explanation. Keep posting videos you are doing a great job! 🏆 I would like to see more about Spring security and especially the hacker/dev personas (those were quite awesome and got my full attention).
@user-jq6mt1wc7t
@user-jq6mt1wc7t 8 месяцев назад
like for the good explanation!!!
@lahirusandaruwan63
@lahirusandaruwan63 11 месяцев назад
It was great thank you, please keep posting ❤
@Dev_Vey
@Dev_Vey 6 месяцев назад
Thanks for the video my friend. I was using csrf token, but knowing that there is another way (same-site) is great to know. Keep on going :)
@ramakrishnapenti2801
@ramakrishnapenti2801 Год назад
Very super way of telling I need these type teaching
@sergey_tech
@sergey_tech Год назад
Thank you!
@mriduljayan4466
@mriduljayan4466 Год назад
It was great thank you, please keep posting
@sergey_tech
@sergey_tech Год назад
Thank you!
@techforserious60
@techforserious60 7 месяцев назад
Thanks many times over, actually one thing from here that helped me a lot was enabling spring security's logging in the intellij console, i had no idea there was such logging, i just assumed everything in there was all there was, though in retrospect it seems obvious. great to now be able to see everything, really nice vid bruh liked n subbed
@JoshWoodcock
@JoshWoodcock Год назад
Great hoodie!
@sergey_tech
@sergey_tech Год назад
Haha, thanks 😂
@ferlezcano
@ferlezcano Год назад
Hard topic 🤯
@shankaraec
@shankaraec Год назад
excellent
@sergey_tech
@sergey_tech Год назад
Thank you, Shankar 😊
@mbesida
@mbesida Год назад
Is attack possible in case of SPA? If post request is made by JS code on a web page?
@sergey_tech
@sergey_tech Год назад
The direct answer to your question is that it's 'most likely not possible'. But it depends on the authentication mechanism you're using. When most SPAs use JWT tokens, they need to be manually included in the header (typically as "Authorization: Bearer xxxx"). This method makes a CSRF attack less likely because it doesn't rely on the browser automatically sending a cookie header with a session id. However, there are two important considerations: - Ensure that the JWT token isn't stored in a cookie. - Ensure the app doesn't fall back to cookie-based authentication. These are, of course, based on my assumptions. If your app is using a session id stored in a cookie, as shown in my video, then yes, you'll need to protect against CSRF attacks.
@roronoa_d_law1075
@roronoa_d_law1075 Год назад
11:14 how can a post request be a top-level request ? I thought top-level requests are the one that are made from the search bar but it's not the case for post request, is it ?
@sergey_tech
@sergey_tech Год назад
Hey, Roronoa_D_Law! Great point! When I was referring to 'top navigation POST requests,' I was talking about POST requests that lead to a new page, such as what happens when you submit a form. This kind of POST request can indeed be considered a top-level navigation. You're correct that top-level navigation usually refers to changing the entire page, and this can occur in different ways, such as typing a URL into the address bar or clicking a link. However, it can also happen through a form submission, which typically involves a POST request. So while not all POST requests result in top-level navigation, those that do lead to a new page fall under this category. E.g. in our example, Spring app has a login form on the page "localhost:8080/login". When entering credentials it did redirect to "localhost:8080". This would be considered a top-level navigation POST request.
@roronoa_d_law1075
@roronoa_d_law1075 Год назад
@@sergey_tech oh I see, thanks for the clarification :)
@souvik.the.developer
@souvik.the.developer Год назад
how to protect from it...please make a video on it.....please sir....
Далее
Cross-Site Resource Forgery (CSRF) - Spring Security
49:57
Cross-Site Resource Forgery (CSRF) - Spring Security
Просмотров 3,3 тыс.
Spring Security From Beginner to Pro: A Journey Through Spring Security Architecture
10:40
Spring Security From Beginner to Pro: A Journey Through Spring Security Architecture
Просмотров 23 тыс.
Mama Bear Helps Babies Across Road
00:30
Mama Bear Helps Babies Across Road
Просмотров 1,3 млн
🖨️Не выкидывайте чеки! Программируем термопринтер
15:39
🖨️Не выкидывайте чеки! Программируем термопринтер
Просмотров 215 тыс.
это самое вкусное блюдо
00:12
это самое вкусное блюдо
Просмотров 1,3 млн
ОНО СУЩЕСТВУЕТ?? #shorts
00:19
ОНО СУЩЕСТВУЕТ?? #shorts
Просмотров 1,4 млн
Cross-Site Request Forgery (CSRF) Explained
14:11
Cross-Site Request Forgery (CSRF) Explained
Просмотров 432 тыс.
CSRF Vulnerability Explained: How Hackers Exploit Browser Weaknesses
6:00
CSRF Vulnerability Explained: How Hackers Exploit Browser Weaknesses
Просмотров 1,2 тыс.
Spring Boot APIs Gateway in 20 Minutes
22:50
Spring Boot APIs Gateway in 20 Minutes
Просмотров 8 тыс.
Spring Filters Series 5 - Order of Filters in Spring
16:26
Spring Filters Series 5 - Order of Filters in Spring
Просмотров 5 тыс.
Spring Transactions Tutorial | Spring Boot - Daily Code Buffer
20:35
Spring Transactions Tutorial | Spring Boot - Daily Code Buffer
Просмотров 32 тыс.
Cross Site Request Forgery - Computerphile
9:20
Cross Site Request Forgery - Computerphile
Просмотров 757 тыс.
CSRF Tutorial - A Guide to Better Understand and Defend Against Cross-Site Request Forgery (CSRF)
14:03
CSRF Tutorial - A Guide to Better Understand and Defend Against Cross-Site Request Forgery (CSRF)
Просмотров 84 тыс.
Master Burp Suite Like A Pro In Just 1 Hour
51:29
Master Burp Suite Like A Pro In Just 1 Hour
Просмотров 49 тыс.
Spring WebSecurityConfigurerAdapter Deprecated - refactor the easy way. Part 1.
13:02
Spring WebSecurityConfigurerAdapter Deprecated - refactor the easy way. Part 1.
Просмотров 920
Configure the CSRF Protection With Spring Security 6 and Angular
51:54
Configure the CSRF Protection With Spring Security 6 and Angular
Просмотров 6 тыс.
Mama Bear Helps Babies Across Road
00:30
Mama Bear Helps Babies Across Road
Просмотров 1,3 млн