How does this prevent the hacker from performing CSRF? The hacker can just read the XSRF-TOKEN Cookie from the client side code and add it as a header? Would love to get some clarity.
I not completely understood. If CSRF token is saved in cookies the user browser will send cookies at intruder's link opening. Looks like sending CSRF token in some hidden form field is much better.
You are correct. You need to have the CSRF token returned by the server, ideally somewhere in response body. If it's returned within the cookie, cross-site requests will include the Cookie (legitimate token) and the forged request might be accepted, depending on the backend logic. However, the CSRF token could be returned within the cookie, client-side JavaScript could there-after extract it via document.cookie directive and manually add it as a X-CSRF-TOKEN header. When the server expects the the token from the header and not the cookie, situation changes, because cross-site requests won't have this header automatically attached (unlike cookie) and the attacker doesn't know the victim user's token value, so the abuse won't be possible.
Hi, is it possible to run off the csrf "Are you sure you want to logout" screen in spring boot security for a non logged in users? By default it shows even if a user did not log in.
@@StyleTrick the cookie that you are sending should have samesite flag as strict. So it cannot be sent with cross site requests. Also to avoid xss, cookie should be httpsecure so that client side js cannot access it.
The attacker would need to extract the token from victim browser. This could be achieved with for example a XSS attack (Cross-Site-Scripting). XSS almost always defeats CSRF protection as it is more severe client-side vulnerability. In that case, you need to take care of the XSS problem first, or any other form of sensitive data leakage from your site. Once the token is safe, CSRF protections will then hold. Otherwise, hackers cannot get the victim user's valid XSRF-TOKEN and request forgery protection works.
Sir, If I'm using angular as frontend and rest API in spring boot with security at the backend and I'm not using cookies anywhere in the entire application, I'm using localStorage. Does it make sense to use CSRF and if yes then how when I'm not using cookies? Eagerly waiting for your reply!
@@kishoreramana1 I think for this to work you need to send a changing token every time because if a hacker is targeting a particular site he can use the value of this csrf token if it is same always.
@@shyamsundargoyal9251 we would need to generate a new csrf token whenever user logs in or refreshes the session, then it would be unique for that session.
If you are using localstorage and utilizing this session ID within the header, such as Authorization: Bearer and not Cookie, then your app is secure. Reasoning: Cross-site malicious requests will have only victim user's session Cookies attached within the request, other headers won't be attached automatically, meaning that requests won't pass as authenticated, preventing the attack.
I understand how CSRF attack works,but, why the cookie protects the server? The attacker cannot copy that CSRF token inside the cookie? If you have the client token and the user token, you have all, no?
I have a question ... I already have the knowledge on IDOR, CSRF vulnerabilities but I need to practice .. like chess ... I am happy there are softwares I can practice on relating to chess ... because I can test out ..reaarange..apply...try out anything I have learnt ... so saying that .. are there any websites or softwares I can buy that has like 100's of IDOR vulnerabilities that I can use Burp on and practice all night?? Thanks.
I am very thankful for this explanation. Your channel allows me to get really helpful coding knowledges and also to improve my English!!!
MY BROTHER!! Thank you so much ! I’m bad in English, but I excellent understand you. Respect! DjazakAllah hayran
It was very helpful to me. Thanks man for explaining this concept in detailed
How does this prevent the hacker from performing CSRF? The hacker can just read the XSRF-TOKEN Cookie from the client side code and add it as a header? Would love to get some clarity.
I think if you are saving this token in cookie then it should be like session ids. A unique token for every logged in user
I have the same question
extremely well explained and enlightening, thank you very much!!!
Very well explained. Thanks
I not completely understood. If CSRF token is saved in cookies the user browser will send cookies at intruder's link opening. Looks like sending CSRF token in some hidden form field is much better.
You can make that cookie's samesite flag as strict. So it won't be sent on cross site requests
@@shyamsundargoyal9251 The final request in a CSRF attack is not cross-site .
You are correct. You need to have the CSRF token returned by the server, ideally somewhere in response body. If it's returned within the cookie, cross-site requests will include the Cookie (legitimate token) and the forged request might be accepted, depending on the backend logic.
However, the CSRF token could be returned within the cookie, client-side JavaScript could there-after extract it via document.cookie directive and manually add it as a X-CSRF-TOKEN header. When the server expects the the token from the header and not the cookie, situation changes, because cross-site requests won't have this header automatically attached (unlike cookie) and the attacker doesn't know the victim user's token value, so the abuse won't be possible.
Thank you very much, I was sicking for that really
Is it expected that the XSRF token changes on every call? I have implemented but any call will retrieve a different token
Hi, is it possible to run off the csrf "Are you sure you want to logout" screen in spring boot security for a non logged in users? By default it shows even if a user did not log in.
If it wasn't too much trouble, is the example repository available?
Hello...Is it possible to enable CSRF and HttpOnly/Secure(for JseesionId) in the same time?
Well explained.
Is the csrf token is changing every requests or remain the same?
Great video ! Thanks a lot
Superb! Well explained!
which course is this a part of? youtube is not linking the previous episode
Hello! Here is the link (SpringBootSecurity) ua-cam.com/video/her_7pa0vrg/v-deo.html
How this prevent someone from impersonating by using the same csrf token?
Yes, the hacker could write code to simple get the XSRF-TOKEN from the cookies on the client side?
@@StyleTrick the cookie that you are sending should have samesite flag as strict. So it cannot be sent with cross site requests. Also to avoid xss, cookie should be httpsecure so that client side js cannot access it.
@@shyamsundargoyal9251 so how does it work from postman (copying the CSRF token) and not from a malicious website?
The attacker would need to extract the token from victim browser. This could be achieved with for example a XSS attack (Cross-Site-Scripting). XSS almost always defeats CSRF protection as it is more severe client-side vulnerability. In that case, you need to take care of the XSS problem first, or any other form of sensitive data leakage from your site. Once the token is safe, CSRF protections will then hold. Otherwise, hackers cannot get the victim user's valid XSRF-TOKEN and request forgery protection works.
Sir, If I'm using angular as frontend and rest API in spring boot with security at the backend and I'm not using cookies anywhere in the entire application, I'm using localStorage. Does it make sense to use CSRF and if yes then how when I'm not using cookies? Eagerly waiting for your reply!
best way is sending the token in the hidden field.
[...]
@@kishoreramana1 I think for this to work you need to send a changing token every time because if a hacker is targeting a particular site he can use the value of this csrf token if it is same always.
@@shyamsundargoyal9251 we would need to generate a new csrf token whenever user logs in or refreshes the session, then it would be unique for that session.
If you are using localstorage and utilizing this session ID within the header, such as Authorization: Bearer and not Cookie, then your app is secure.
Reasoning: Cross-site malicious requests will have only victim user's session Cookies attached within the request, other headers won't be attached automatically, meaning that requests won't pass as authenticated, preventing the attack.
Where is the full code/github link for this ?
when i get csrf token from backend it is not set in cookie automaticaly
I understand how CSRF attack works,but, why the cookie protects the server? The attacker cannot copy that CSRF token inside the cookie? If you have the client token and the user token, you have all, no?
Browser is smart enough to only allow a website to access its own cookie, now website can access the cookie of other website
Wheres the git?
I'm not getting any cookie when sending get request?
Amigo can u please help em solve dissapering csrf in react application using spring boot
csrf token every time change per post request how to handle in angular
my spring do not creat the scrf token, i have no cookies :(( help
If we are using jwt do we need csrf enabling?
No
Thank you.
I HATE FUCKING GAMESTOP KEEP SAYING IM TRYING TO DO THIS
I have a question ... I already have the knowledge on IDOR, CSRF vulnerabilities but I need to practice .. like chess ... I am happy there are softwares I can practice on relating to chess ... because I can test out ..reaarange..apply...try out anything I have learnt ... so saying that ..
are there any websites or softwares I can buy that has like 100's of IDOR vulnerabilities that I can use Burp on and practice all night?? Thanks.
not sure I am afraid
Yes, OWASP has a few vulnerable by design websites for you to practice on. Check it out
hallo amigoscode , if i want to start learn java programming can you share tutorial link for beginner ^_^ , Thank you ...
planning to record a course
what version of postman are you using my ui looks different from yours
Justin Davis I was using a deprecated version. But the new one is quite similar
@@amigoscode do you do any front end ui stuff with angular?
Justin Davis no angular so just react 🙂
Can you provide source code for this video
hey im not getting all those cookies that your getting all im getting is a jsessionid how do i get what your getting
Full course is now out. Check my channel for the latest video
Hi Justin, if you have figured out how to get that csrf token while sending a GET request, sharing the workout is highly appreciated :)
great
amazing your channel
Thanks. Subscribe for more
sir can you give one cousre about BDA postgresql
on my TODOs
I JUST WANT A FUCKING CONTROLLER AND I DONT HAVE MY CREDIT CARD ON ME SO IM DOING IT ONLINE