Spot the difference and guess how much time I've wasted on that.... 😠

I'm losing my fucking mind right fucking here.

Setting an anti-csrf token in the index.php file ONCE. Yes, I triple trillion checked, only fucking once.

Print it to the page as test, fair enough, looks good.

Send an ajax request to the server:
AN ENTIRELY FUCKING DIFFERENT TOKEN 😡

Fucking hell.

Boss: We need to disable CSRF and any other form of security, because that shitty, insignificant client has a website that is abomination anyone's eyes, can't pay because of the iframe thingy.

Me: I'd advice against it. This is a significant security issue that just screams to be exploited and there has to be a solution, but idk much about this situation.

Boss: Idk we need to kiss every clients ass till they come. Remove all the security

Me: *Just wants to get home, last one in the office besides the boss* fine
*removes it, deploys and gets the fuck home*

...2 weeks later

Payment gateway: Yeah, we blocked your account, because someone was trying to purchase 30k product in a span of 1h

I'm not even mad about that, but rather about the fact I fucking called it.

* Achievement unlocked: Targeted by scammers

P.s. no major damages, cause the guys from the payment gate understand shit about security.

FUCK DJANGO CSRF FRAMEWORK.
THE PERSON THAT BROKE csrf_exempt DECORATOR SHOULD BE PUNISHED BY YEARS OF HARD WORK IN BITCOIN MINE. I DONT KNOW WHO YOU ARE BUT FUCK YOU AND ALL YOUR CODE, I WISH YOU SLOW AND PAINFUL DEBUGGING OF LEGACY, UNDOCUMENTED, PRE-JQUERY IE-FUCKING-6 CODE YOU FUCKITY FUCK!!!

So one of my clients had a different company do a penetrationtest on one of my older projects.

So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.

So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.

Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.

And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.

Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.

I get a reaction. Everything is perfect now, good job!

In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD

But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.

And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.

Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.

2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.

I'd never do anything "risky" in a prod environment if I considered it so at the time, but in retrospect there's *lots* of things considered risky now (both from a security and good practice viewpoint) that were standard practice not long ago:

- Not using any form of version control
- No tests (including no unit tests)
- Not considering XSS vulnerabilities
- Completely ignoring CSRF vulnerabilities
- Storing passwords as unsalted MD5 hashes (heck that was considered very *secure* in the days of plaintext password storage.)

...etc. I'm guilty of all of those previously. I daresay in the future there will be yet more things that may be standard practice now, but become taboos we look back on with similar disdain.

Currently working on my own Express App with CSurf for csrf validation.

Works great but one problem...

HOW THE FUCK SHOULD A POST REQUEST COMING FROM JAVA GET THE FUCKING TOKEN.

Should I made my RESTApi without csrf protection?

I am crying right now...

When you keep telling your boss that you remade one of their sites so that it has BCrypt(currently use SHA-512),CSRF checks, stricter Auth/Cookie encryption and that we should swap it and all he says we will get to it.

wot n tarnation-_-

Just had a so called "cyber security" seminar in college today.
The guy who claimed to be a trainer or somewhat network security guy or something behaved enigmatically with utter consistency. He obviously claimed to know facebook hax0ring though.
They were basically there to advertise their complete crap: csksrc.org
(Ethical Hax0ring Course) (also claimed their site to be 99.9% secured - GREAT!)
After obtaining a ISO*** standard cert or after taking multiple sessions on "advanced ethical hacking" if you go about telling peeps in colleges that: "The single way to hax0r a facebook account is CSRF!" "Will hack your facebook account by MITM through malicious WiFi Ap." Then, NO neither I want your shitty cert nor do I want to be in your team and create the next level of "advanced ethical hax0ring - CEH course". Reason why I get cringed when peeps start about their certs and the ISO*** value it contains. What ISO value does your brain cells contain though?

Urgh.. the amount of things you have to know as a developer.. it can get stressful and frustrating sometimes when (in-depth) technology knowledge is demanded from you (for instance, for a job position)..
It's like being a doctor, being a lifelong student.

A few examples of what I had to know during my career:
Java, .NET, Python, PHP, JavaScript/HTML5/CSS3, Sass/Less, Node.js, ReactJS, AngularJS, Vue.js, Cordova, Ionic, Android, design patterns, SOLID, databases (design, implementation, administration, both NoSQL and relational,..), deployment tools (Octopus, Jenkins,..), VCS, CI/CD, HTTP, networking, security (OAuth2, CORS, XSS, CSRF,..), algebra, algorithms, software testing, profiling, Linux, Unix, Windows, MS Office (advanced mail filtering,..), ITIL, IT Law (licensing and its implications when choosing a product, distribution right,..), server architecture,..

Sure yeah, I know, I've studied all that at university but.. it's been too long (almost a decade now). I have to revisit that knowledge.

My coolest bug fix was fixing XSS and CSRF vulnerabilities. It was the starting of my IT career and when I hear these big names, I used to think that it takes a big brain to fix them. But the solutions were rather simple. My architect told me how to solve them and I made my version of the solution and sent it for his review. He just rejected it and told some enhancements to it. The to and fro of these reviews happened for a week.
At some point I felt, why don't he f*****g do it himself. It would take him about 5 minutes.
Finally my code was approved.
Now when I turn back and think about it, I feel I learned a lot from that exercise.

When I made a PoC xss thingy.

So this webapp (which I was locally hosting) had a message functionality that allowed iframes to be sent through, but they could only originate from a specific domain. They used a bad regex tho, as the workaround was on an OWASP wiki page, which was the third search result for 'XSS'. I then used this iframe to load in a different page on this app where I could inject js in the title field. Then I discovered this field has a length limit, but I could just fit in a script that would base64 decode the hash part of the URL and eval it. I then updated the iframe to include a script that would automatically change the message signature of anyone who loaded it to include the iframe again in their message signature. Because these two pages were from the same domain, I had gained full control of the messaging app too, allowing me to do this and circumvent the csrf system.

I felt like I had achieved something.

Fixed a jenkins crumb issue which my project is facing for past 6 months. Jenkins guy keep sending the crumb from his personal browser whereas we need to request it from our script.

Any of the several hundred (no joke) xss, csrf or sql injection bugs I've fixed in our legacy apps...

Pushed some changes to PROD today. Go to login and check changes .. noooooope!

Still a bit new to Symfony 5... but I'm just not a fan right now. The login screen just jumps back to itself. No login failed message and prod log had a size of 0 so that was no help.

Traced this thing way down into the CSRF Authentication functions. \is_callable(...namespace) just returning null so no go on getting a token for isTokenValid() =/
ugh! This is truly the most torturous junk I've ever seen. Nothing in the logs so I decided to just use the good old ECHO'HERE' debugger.

What was the issue you might ask?... effin' yaml file
Fix for now is to set the session handler_id back to null

Securing my single-page-app. Fuck it. Fucking how? Fuck.

I recently recommended that we fix a gap in the current CSRF implementation.
I’m asked by a fucking business guy that if we haven’t seen an issue till now, why is this a priority?

Should I demo the vulnerability? Why can’t they fucking trust the people that they hire? It’s not like I wanna do it for some selfish motive.

switched job. found out today that my qa - soon to be promoted to senior - does not know what a csrf token is.
*stares out of window*

Can any one recommend a good Go framework for APIs with a MongoDB ORM?

Was using Laravel 6/Lumen but it’s API ability is starting to piss me off with its CSRF crap, JWT/Passport implementation and a it’s lack of MongoDB support.

I don’t need any templating engines at all, its all handled by a SPA and Mobile Apps

So I had this bug where my csrf tokens weren't working and I spent hours on end trying to fix the bug and in the end it wasn't working because I set a default route to load the same page which was resetting the tokens when chrome requested favicon.ico ...

postman to manually check api endpoint works

try again later, doing what you think was the exact same shit, which you've documented, reread your document get 404

fuck csrf

use debugger

find out its returning a 404 when the code i added fails, welp

They asked me to build a small website they will embed in a native application with some web wrapper in Android and iOS.

But also asked me to build a login web service that will return a JWT. Done.

They want to do a native code login form that opens up the web wrapper with my small website already logged in using the login web service.

I have no idea how to proceed in the backend.

At first i tried using postman with a POST request to the sessions/sign_in route and sending a form with the authenticity token and the email and password; but CSRF stopped me. I don't want to turn it off because of reasons.

Now i am wondering how to use this JWT to generate a cookie with a session inside it that they can use in the web wrapper.

Any help would be appreciated :)