I guess that if the only thing I log into in my mobile browser is my feed reader, I don't have too much to fear there about #XSS or #CSRF. Nobody is going to attack it, because there's no value in it. And it can't be used to steal anything else, because there isn't anything else.

Was ist ein #CSRF Token in Bezug auf #Mastodon - da kommt immer so ne Fehlermeldung im Chrome Fenster.

Sending POST data to a Django view via AJAX to a REST endpoint - https://anjane.sh/csrf - #django #python #javascript #csrf #rest

📺
I am assuming Linus Tech Tips youtube hack was CSRF:

So Linus says one of the staff's session token was hijacked via dodgy email, I think this is classic CSRF.

However he mentions session token.

I am wondering what is the difference between session token & an access token, because in this case logically they are the same.

If so it seems http only cookies are not that secure, what is the alternative then?

https://youtu.be/yGXaAWbzl5A

#LinusTechTips
#csrf
#cookies
#youtube

Dear #InfoSec community. If my app doesn't use cookies, then am i right in understanding that it is not susceptible to #CSRF attacks? Authorization would be done through a Authorization header with a token stored in the clients session and/or local storage

And if it did have a cookie, then would a SameSite=Strict mitigate this?

Cross-Site Request Forgery is an attack vector in which the victim is lured to click on a malicious link attempting a fraudulent operation on that sensitive site. Ted Byerly shows How To Protect Your Applications from #CSRF with F5 Distributed Cloud https://community.f5.com/t5/technical-articles/how-to-protect-your-applications-from-cross-site-request-forgery/ta-p/309117

https://infosec.exchange/@VidmoOreda/109937211392065997

"These sort of browser security mechanisms (i.e., SameSite cookies, Fetch metadata) are meant to be defense-in-depth only." < They cannot be serious, SameSite is _the_ solution to #CSRF.

Sharing the last experiences my teams and I had with a Strong Cross-Site Request Forgery (CSRF) unauthorised access case concerning on one of our customer portals and how we managed to resolve this issue.

https://blog.mailixa.io/cross-site-request-forgery-prevention-csrf-for-tailor-made-sites-using-php-and-jquery

#php #jquery #csrf #xss #cors #howto #blog #hashnode

It's important to understand #CrossSiteRequestForgery (#CSRF) and how to prevent it. It's a sneaky attack that can be used maliciously to steal data. #CyberSecurity #CyberAwareness #SecurityAwareness

https://redbeardsec.com/how-to-understand-and-prevent-cross-site-request-forgery/

#csrf is like when someone else gets a hold of your account and starts doing stuff without your knowledge, like buying stuff online or changing your password.
#Hacking #CyberSec #cybersecuritytips #pentest #Pentesting #infosecurity #infosec
https://medium.com/@TheCS_student/exploiting-cross-site-request-forgery-in-web-application-penetration-tests-70784dcf7cc3

🪲 Interesting article on CSRF attack that bypasses CSRF defence

▶️ Practical Example Of Client Side Path Manipulation - post by @aroly

https://erasec.be/blog/client-side-path-manipulation/

#csrf #appsec #bugbounty #bugbountytips #redteam #infosec

Golang CSRF Defense in Practice:
https://dev.to/llance_24/golang-csrf-defense-in-practice-10k

#golangtips #golang #csrf #websecurity

Am I misunderstanding Firefox's state partitioning (https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning)?

It seems like it would make CSRF tokens obsolete? But everybody is still talking about the SameSite attribute against CSRF?

#csrf #web #cookies

#bugbountytip

Before reporting #SSRF, try turning it into an RCE

#Self-XSS? try making an #exploit chain with #clickjacking

Persistent #XSS, chain with #CSRF

I'm excited to share of my work that came out today! Specifically, a handful of vulnerabilities in #F5 #BIGIP devices that I worked on through the summer, and worked with the vendor to get patched (F5 was awesome to work with, btw!).

I wrote a super detailed #blog post, and also wrote a full PoC. #Metasploit modules (both for the exploits and some post-exploitation data-gathering) are incoming as well!

The most important of the issues is #RCE via a #CSRF vulnerability in the #SOAP interface (#CVE_2022_41622), which is pretty cool (though requires a confluence of conditions to actually matter). I also had to bypass #SELinux to actually exploit this on the path I chose, which is kinda cool.

The other is authenticated RCE, to which they assigned #CVE_2022_41800, though even I, the person who found it, doesn't really think it's a big deal. It's a nice way to get a #Meterpreter session on your test box, at least?

I also published a bunch of my #tools for analyzing F5, including scripts to build, parse, and #MitM requests to their proprietary (I think?) database protocol (these require a valid login to use, but there's no user separation so there's a bit of #LPE).

I'll also be speaking about this research in much more detail (as much as I can in 45 minutes :) ) in my #HushCon talk on Dec 2!

Has anybody written a #Metasploit module to exploit a #CSRF vulnerability?

I need to make one, but there are considerations: do I display some sorta user-provided template? Do I submit the form with JavaScript? Do I try to be sneaky?

With web design skills like this, who wouldn't want to hire me :ablobcool:​ In all seriousness though, this was a simple little HTML-only page (I added CSS for flair :black_sparkles:​) that I created for my Security for Software Developers course lab with the purpose of successfully attacking a locally hosted instance of a fake bank using Cross-Site Request Forgery, and "withdrawing" some amount from that users account if they happen to click my button while still logged into the fake bank on another tab. The other attack I made was using a page with a form that I made hidden, that would pass the parameters to the bank withdrawal page and submit the form automatically using a couple lines of JavaScript. #InfoSec #CSRF #WebDevelopment #SecureSoftwareDevelopment #NetBeans #InformationSecurity #SecDevOps

#Alexa : deux vulnérabilités dévoilées pour l'assistant vocal d'#Amazon dont une #XSS ! (it "skills" my life...)

https://blog.sosordi.net/2020/08/alexa-deux-vulnerabilites-devoilees-pour-lassistant-vocal-damazon-dont-une-xss-it-skills-my-life.html

#CSRF #securite

#Meetup : quand deux #failles permettaient un détournement des #paiements depuis #Paypal !

https://blog.sosordi.net/2020/08/meetup-com-quand-deux-failles-permettaient-un-detournement-des-paiements-depuis-paypal.html

#securite #XSS #csrf

Black Hat USA 2020: Critical Meetup.com Flaws Reveal Common AppSec Holes - With Black Hat USA 2020 kicking off this week, Erez Yalon with Checkmarx talks about newly disclos... https://threatpost.com/black-hat-usa-2020-critical-meetup-com-flaws-reveal-common-appsec-holes/157950/ #newsmakerinterviews #applicationsecurity #crosssitescripting #blackhatusa2020 #vulnerability #criticalflaw #websecurity #blackhat #webflaw #videos #appsec #meetup #patch #csrf #xss