28 thoughts on “CSRF Introduction and what is the Same-Origin Policy? – web 0x04

  1. I was trying for like 3 days to get that navigator.sendBeacon() trick to work, but it looks like it was addressed about the time this video was uploaded. Coincidence? Anyway, the sendBeacon CSRF for "application/json" doesn't work in any newer Chrome or FF browsers.


  2. image tag dosen't set cookie. Does it fixed now? Or am I wrong?
    all I did is
    logged in to reddit and opend https://www.reddit.com/message/messages.json
    <img src="https://www.reddit.com/message/messages.json">
    to elements in https://i.imgur.com/1UeGNVL.jpg.
    request was sent but there were no cookie attribute in request headers.
    also the request headers said Provisional headers are shown.
    and console said Cross-Origin Read Blocking (CORB) blocked cross-origin response

  3. I have one small question: 3:35 although the browser cannot access the response, the request is already successfully sent to the server with the cookie and any associated operations should be done right (If there is no referer check on the server side)? I mean if some dude are so careless to delete an article using a GET request then the article should already be deleted even though you cannot read the response (probably saying {action: 'delete', success: 'true'} ). Is my understanding correct?

  4. I think people tend to forget to like on these types of videos…
    there was a lot of stuff to learn here great video…

  5. Also take note that you can forge every header by just not using a browser, and instead using curl or a httpclient of some sort in your favorite programming language.

  6. if i were to use something like an OAuth API in my php website, could i use one of the values in the user's $_SESSION as a CRSF token?

  7. Can somebody talk to me in this sub, please? it's about this video: https://www.reddit.com/r/LiveOverflow/comments/9pge93/help_me_please/

  8. Your video might raise the assumption that
    1. cross domain requests can't be sent(!) only when credentials are going to be sent via javascript (XHR)
    2. this can be bypassed by using an img/form tag

    Maybe i am wrong, but as far as i understood the SOP only prevents reads and not writes in ANY case (doesn't matter if with/without credentials or via javascript/tags).

    Could you clear this up?

    Nice video i liked it 🙂

  9. In the example at the end of the video, wouldn’t the exploit be useless due to the “notes” XSS only being able to be accessed by someone logged in as us, because we are the only ones who can view it, as you explained at the start of the segment?

  10. With PHP and cURL you can write a little proxy script to bypass same origin policy, f.e. could look like this: proxy.php?url_to_non_same_origin, i really have cases where i have to use this trick.

  11. Your videos are true gems. You not only replicate the exploit, but also fit a thorough explanation about the underlying concepts in relatively short video. Huge thanks and dont stop!

  12. If possible please make more videos on web category too. you make things soo simple to understand ☺☺

  13. It took me a while to finally find a video that shows clearly how CSRF would happen despite SOP, with both img and forms. Thank you very much for this vid!

  14. Great videos! You can send data that is not url-encoded in a form post request just use <form … enctype="multipart/form-data"> which can be more convenient to use in inter-protocol attacks, for example. Also I couldn't send data to a different domain with content-type=application/json using the sendBeacon API, there was only just an OPTIONS request (preflight for CORS) being sent whenever I tried to send a Blob. So it seems to be fixed.

Leave a Reply

Your email address will not be published. Required fields are marked *