Understanding CSRF, the video tutorial edition

This is the clearest explanation of CSRF i have ever seen.

Thanks Troy. This is a helpful video with clearest explanation!

Very helpful. Played this video at work for my team and we all learned something new. Thanks!

Thanks Troy, I didn't understand a single thing you said though I got the gist. I'm glad for the Troy's of this world who willingly help others to protect their privacy.
Hope you and your family are well.
Sincerely,
Alyssa

Thank your for putting this together. I did the demo shown in this video. Works great!

Very Helpful..Have understood practically and able to come out explaining as answer in my Job Interview recently.

I learned a lot about CSRF now. Thanks for sharing your knowledge.

Nicely explained with a working demo which makes the concept more clear

A helpful video for web developers to fix the bug of the next project...

best practical explanation of csrf!

how is the same auth cookie gets sent "auto magically"? If the orig 1st tab gets closed then no auto magic i guess?

@23:08 if a secret token is stored in a cookie isn’t a malicious user can steal this cookie with cookies theft techniques and read the token?

Your concept is crystal clear....thanks a lot, apart from the last .net part i understood the video very clearly...

Great presentation, Simple precise and straight forward.

Did you forget to mention that these 2 tabs need to be open in the same browser on the client-side for this to work? Else you would to need the auth-cookie as well. Nevertheless good explanation

what about Cross-Origin Request Blocked:

Awesome video. Thanks for going in depth.

Suppose a website is designed in such a way that reload or back is prohibited or doesn't work, then how would it word ?
I mean will it raise exception ?

Nice video but serious question! ....Doesn't the same-origion policy protect against CSRF? why do we need the anti forgery tokens? or is it that these tokens are necessary only if someone the SOP was bypassed?

Hi Sir, After adding Web application, how did you add that Token related code to application.

Does checking the $SERVER['HTTP_ORIGIN'] combat this attack? I noticed it was "null" in your hacked request.

shouldn't CORS policy help in these regards?

best tutorial on csrf bar none

Awsome work! thanks Troy

Someone please answer. at 5.24 why cant the attacker coppy paste the form hiddenfield html to his csrf html and POST request?? NOT POSSIBLEE??? PLZ ANSWER

Hey bro, I have a question about this video. Why your CSRF demo page will send AuthCookie to the server? thanks a lot.

Can I download the website for my lab ?

Wow excellent explanation

very nice explanation of csrf, thanks.

But sir, now websites using the Old password parameter also, So it is now impossible for the attacker to attacks CSRF.

This is crystal clear now THANKS.

when i try to send the reqeust i don't get any auth cookie

Great talk Troy, Thanks.

Hi, It's a great explanation, I have questions regarding the get request being made from the app.
Example
click
Now above URL is used as hyperlink in application,
And it performing some operation,
This is not an post request to the server,
Do we need to Validate this request? Do we need to send the token along with URL ?

what happen if i send jquery AJax request

Very detail explanation. Thank you.

amazing clear explanation.

Great video Troy, Thanks 👍🏻

Great explanation!

Great Video Troy!

Auto-Magically?

Troy! Thanks for sharing! 🔐🗝

You sound like the narrator form The Stanley Parable game

bruh !! thank you thank you thank you thank you

Great vid! upvote

Great! I love it !

Great!*****

Wow, its Troy Hunt. He invented the famous HaveIBeenPwned Website: haveibeenpwned.com/

too gud

10:25 WTF!

that site is pretty.. yeah hacked... that does include dic picks D: