6
UnicornPoo
213d

My latest mandatory training:
CSRF can be really bad.

We’ll no fucking shit Sherlock!

Comments
  • 1
    Wait what??!!??

    I thought CSRF was a web browser feature! Well I'll be damned, such an useful training, this should be mandatory for all employees everywhere every monday!
  • 2
    I know CSRF is bad. Making sure it doesn't happen is a totally different thing.

    I hate web dev...
  • 1
    From the following lessons:
    - you shouldn't put secrets in the client code
    - Passwords shouldn't be readable
    - Input should probably not be executed as code unless you really know what you're doing.
  • 0
    It should be a training for everyone to really understand what it is. Its really bad when you hire a penetration testing company with "10+ years of experience" and then their staff comes in and tells you that the GET request which only renders a HTML of the form and nothing else is "vulnerable" because you can "render" that html without an anti-csrf token. :)
    Also today you can do full anti csrf protection by just using SameSite=Strict in your cookies, or by not using cookies at all and going full access token and REST. :)
Add Comment