Cross Site Request Forgery - Computerphile

Поділитися
Вставка
  • Опубліковано 10 лют 2025

КОМЕНТАРІ • 353

  • @ja-vishaara
    @ja-vishaara 10 років тому +1068

    Tom, I'm never going to your blog, that's for sure now.

  • @Sam_596
    @Sam_596 7 років тому +180

    "But since then, it's got a bit more complicated"
    -Tom Scott, 2013, describing the internet and the history of the universe in one sentence.

  • @ionlymadethistoleavecoment1723
    @ionlymadethistoleavecoment1723 8 років тому +1506

    As someone who is a complete novice, and is trying to learn about how to make websites, Tom Scott has made me terribly afraid of screwing something up and having a massive security hole.

  • @VictorFrost
    @VictorFrost 11 років тому +316

    I love how passionate Tom is about this. You can really see it in his face and hear it in his voice.

  • @olatrials
    @olatrials 9 років тому +619

    The funniest thing about your videos is when you talk as if you were the server, interpreter, code or whatever! It would be funny as hell if that was the case, imagine trying to do something malicious, and having the server respond "Well, that's wrong. I'm not having that." in Tom's voice!

  • @MozQit0
    @MozQit0 11 років тому +122

    After just graduating with a Bachelor of Computer Science, I can safely say I would have loved to have this guy as a lecturer; he explains things simply, clearly, interestingly and correctly! I'd like to say a big thanks to the Tom and the Computerphile team for spending their time and effort to make these great videos!

  • @o2dyt
    @o2dyt 11 років тому +379

    "My hand has lower ambitions than my brain does"
    Yeaaah I know the feel...

  • @luiscanamarvega
    @luiscanamarvega 9 років тому +198

    Please, don't ever stop making these.

  • @123456789robbie
    @123456789robbie 11 років тому +54

    Tom Scott is quickly becoming one of my favourite people on the internet. He's the kind of person i'd have wanted to be best friends with if we'd been kids at the same time and place

  • @TheWP120
    @TheWP120 8 років тому +143

    These Tom Scott videos are so addictive, I can't stop watching! xD

  • @MisterPorkchops
    @MisterPorkchops 11 років тому +59

    Tom is probably my favorite person on this channel. I just love the way he talks and I love the topics he has.

  • @matts.1352
    @matts.1352 10 років тому +185

    I remember 6 years ago (I was 12), I'd mess around with chat rooms for fun. Of course, doing so itself was stupid, but it taught me about modifying post-actions and functions, and also about proper security in how users interact with websites.
    Basically, I had a plugin that let me edit post data before it was sent to the site. I'd mess around with the chat a few times, see what values changed in the post data, and then figured out what separate parts and values in the data were for. Eventually, I figured out how to modify the sessionID to be the same as other users, so that I didn't have to be in the chat to play around with it. I also learned how to mess with chat servers screen-name authentication, and to modify my screen-name when I was in the chat. Worst-yet, I learned how to modify user-permissions and mess around with the admin-panel login page so that the chat server thought I was an authentic admin that logged in through the admin-panel and let me use admin operations.
    Of course, at the time I used it for immature things, but I eventually started thinking of ways for how the website could have avoided those problems. That sort of thinking helped inspire me to think in-depth about security in my programming projects.

  • @andersevenrud
    @andersevenrud 11 років тому +21

    Being a web-developer I highly enjoy this series. Tom really knows what he is talking about, and I just love the enthusiasm.

    • @suit1337
      @suit1337 11 років тому +1

      it disturbs me, that you're a web-developer and enjoy this :) you should already know all these issues

    • @andersevenrud
      @andersevenrud 11 років тому +8

      suit1337 Yes, I know about these issues. I think most of the developers out there enjoy these videos regardless of what they know about the subject. And there is always a chance of learning something new.

    • @nryle
      @nryle 11 років тому +1

      suit1337 You do know that web developers can be new to web development right? We don't live in the age where the only way to learn something is through a proper school. You could easily start your web development very small time on your own and be unaware of the basic security flaws...

    • @suit1337
      @suit1337 11 років тому

      I'm aware of that - and that is a shocking development in this business. Take another work field for example: someone could not easily start a business as an electrician without proper education - but you can start as a web developer.
      there are lots of fools around here with no clue, even in the basic properties of the business but they make shitloads of money with their crap
      that really fills me, doing proper work, with anger
      ---
      just an example from my country (austria)
      - the website of our ex financial minister was priced at 220.000 Euro
      the website of the agricultural ministry cost about 5,5 Million Euros
      and those websites are not even closely done properly and get defaced over and over again - instead of blaming the stupid overpriced web developers with no proper education they blame the "bad hackers"
      a few weeks ago our interior ministry presented a new 100 % hackerproof "student licence" - it was hacked only 3 days after via a very simple SQL injection
      i hope you understand, that it disturbs me, that every moron with no education can start a new 1 man web agency and start coding with no education in the field at all.

    • @nryle
      @nryle 11 років тому

      suit1337 I understand this, it's true of anyone who takes pride in their work. It's not really that shocking though. This is true of any business until government steps in to regulate it.
      I think the true problem lies in the fact that Web Development is an all encompassing term even though it has several aspects: Design, Functionality, Reliability, Marketability, and, of course, Security. From what I've seen most people think these are the same, though many have started to separate design.

  • @blob1190
    @blob1190 7 років тому +3

    Got an exam on this tomorrow, this was so helpful for me, thanks! The way you explain things makes them easily accessible

  • @steam2300
    @steam2300 11 років тому +1

    These are some of my favorite vids on computerphile! Security issues affect everyone and we need more clear explanations. I'd love for Tom to tackle jailbreaking.

  • @АндрейБеньковский-ш5к

    This video inspired me to try to "steal" my CSRF token (as if I was trying to hack my own account). I the process I reinvented cross-origin HTTP requests and clickjacking. Turns out both this attacks are well-known and defended against.

  • @Linksbruder
    @Linksbruder 11 років тому +1

    Just wanting to let you guys not know that you are doing a great job I love watching your videos and always get excited when I see that you posted another one.
    I'm 16 years old and enjoy programming but thoose videos add another point of view to it and really get you thinking
    Greetings from Germany

  • @thoughtsofadyingatheist1003
    @thoughtsofadyingatheist1003 Рік тому +2

    You'd be surprised how many web devs don't know about this in 2023

  • @lloydnone
    @lloydnone 11 років тому +2

    Oh wow. It's funny seeing people writing about how they implemented a 'nonse'. If only they they knew. This was a great video! Tom is always so enthusiastic, it's great! One request would be making the felt tipped pen sound quieter/non existent. It makes my toes curl!

    • @FernieCanto
      @FernieCanto 11 років тому

      Word! That is even worse in Numberphile.

  • @isaac10231
    @isaac10231 11 років тому

    It's good having an episode of computerphile, mainly because the intricate and important details in computer are _so complicated_ even though I (thought) that I knew about computers. This kinda gives me a foundation.
    Also you should probably talk about logic gates, whether it's minecraft or whatnot, they explain how you could have to light switches for one light

  • @Reddemon815
    @Reddemon815 11 років тому

    These are awesome. This guy makes Computerphile the channel I look forward to. More of him.

  • @Zimpfnis
    @Zimpfnis 11 років тому +1

    I know little about IT or programming, but your videos are always very informative and easy to understand, so thanks!

  • @nosscire
    @nosscire 11 років тому +1

    Holy crap! While I have enjoyed these videos since the start of computerphile, this is the first time I directly learned, or more rightly, realized something. I do have webpages that are badly coded like this. Time to go off and fix!

  • @ramikafa
    @ramikafa 11 років тому +13

    This guy is an excellent presenter. Please, more of him.

  • @TheBreadCatt
    @TheBreadCatt 11 років тому +1

    Great and informative video as always. Loving the amount of Tom on this channel.

  • @tedspens
    @tedspens 9 років тому +8

    I always wondered how Wordpress' nonce hash works. Thanks for the enlightenment!

  • @Sc2mapper117
    @Sc2mapper117 9 років тому +2

    This was really interesting. I was aware of cross-site-scripting and sql Injection but I had never heard of this. Thanks :)

  • @annayosh
    @annayosh 8 років тому

    The tale in the beginning about POST and GET requests is a bit of an ideal case too. Many sites actually work just as well if instead of a GET request you make a POST request with the same content, or vice versa.

  • @hotrodmind
    @hotrodmind 11 років тому

    these videos jus seem to come right after i've implemented something for a project in my courses ... Thank you for informing me of these things, heavens knows I'll need them in the field

  • @kiddor3
    @kiddor3 11 років тому +12

    Ironically I saw "nonce" today in a code and I thought someone didn't follow code standard for nOnce or n_once. Now I know what they meant.

  • @ragir
    @ragir 11 років тому +7

    Great, now i've got to rewrite the project i'm working on. I didn't know about this and it's so obvious. Good video!

    • @Airblader
      @Airblader 11 років тому +8

      If you have to rewrite a project to protect against CSRF attacks you are doing other things wrong as well

    • @IceMetalPunk
      @IceMetalPunk 11 років тому +1

      Rewrite? That sounds a bit like overkill. Just add a nonce token and you're as good as you'll get.

  • @krajek1985
    @krajek1985 9 років тому +3

    Tom, You are the best. Keep making those excellent videos.

  • @coolsebz
    @coolsebz 11 років тому +1

    This is great! :D I love the way Tom explains advanced terms in really simple ideas

  • @mw2isepic1
    @mw2isepic1 11 років тому +1

    This is indeed a big security hole. I did not know what CSRF did before so I couldn't apply a patch to my site. I can now though. Thanks Tom/Numberphile. Nicely explained :)

  • @marko_2317
    @marko_2317 6 років тому

    Very informative and explained in a simple and understandable manner. That's why Tom is my favorite, though I enjoy watching the others, too!

  • @vinkuu
    @vinkuu 11 років тому +1

    Here's one consideration on how important it is to validate user input on the server side. Take any disabled html element. Open up firebug console and run some javascript, eg. using jQuery syntax: $('input').removeAttr('disabled'); $('input').removeAttr('readonly');. Then happily make any changes to the input elements and submit the changes.

  • @Daetok
    @Daetok 9 років тому

    This channel is absolutely amazing!

  • @FixDaily
    @FixDaily 3 роки тому +1

    Thank you Dawson from Dawson's Creek!

  • @xenizs9112
    @xenizs9112 2 роки тому

    still relevant even nowadays how beautiful

  • @k776
    @k776 11 років тому +1

    The easiest way to get around most of these: Use a solid framework which helps prevent all these attack types. Take Ruby on Rails for example. While not perfect, the latest version is pretty good at avoiding SQL injection, XSS, and CSRF, along with other built in things, like secure cookies, and proper storage of passwords... with a framework doing most of the basic stuff, it's up to the developer not to do anything stupid.

  • @Imrooniel
    @Imrooniel 11 років тому

    This mini series on security is just wonderfull. Love the content, love the voice, it's just great.

  • @Blue.Diesel
    @Blue.Diesel 9 років тому +47

    Can't i just load the other form in an invisible Iframe and then parse and search through the html retrieved? Use the token info and create my own form.

  • @BorealSelfReliance
    @BorealSelfReliance 11 років тому

    Great explanation, I did know this sort of attack existed but had never given much thought about how to mitigate it.

  • @juandig
    @juandig Рік тому +1

    this still goes under the radar 10y later btw

  • @Niosus
    @Niosus 11 років тому +1

    It's also a good idea to add the action to the seed which generates the nonce, so the nonce to post a comment is different from the one which allows you to delete your account. If you combine that with the username and set a short timeout the users needs to have been on the form which does the action, somehow you need to be able to steal that nonce and get them to go to your infected page. It's basically no longer a security issue in that case. When someone loads a form they usually intend to fill it out and you could even track when they leave the form to immediately invalidate the nonce.

  • @ambitecturous4741
    @ambitecturous4741 9 років тому

    Excellent description of XSRF. Thank you. I understand the concept and defenses now.

  • @scienceblossom6197
    @scienceblossom6197 6 років тому

    Best quality of explaining anything ever possible!! Thanks A TONNN!

  • @hecanylmz
    @hecanylmz 8 місяців тому

    I've just watched the video, it was really helpful on my course! Thanks! 🙂

  • @edinatl2008
    @edinatl2008 9 років тому +17

    Thanks for helping me learn the valuable lesson of what a 'nonce' is in UK.

  • @TheSam1902
    @TheSam1902 8 років тому +1

    Nice video ! I already heard about it but I didn't understood everything, so you've made the web a safer place !

  • @FFVison
    @FFVison 11 років тому

    I have heard about this before, but there's a simple way around it. The problem with it is that the same malicious form on the unrelated blog can still submit a page request on the target site and grab the token before submitting to the page that actually does the damage. All it takes is a little bit of PHP knowledge, some knowledge of HTTP request headers, and a little ingenuity. Still, it's good to know how and why to do this.

  • @wbaloo1
    @wbaloo1 5 днів тому

    What a great tutor, very well explained!

  • @otanix
    @otanix 7 років тому +1

    I've been looking for a video that I can send to my non-techie friends to give them slight idea about XSRF. This video is what I've seen so far that's lay-man friendly.

  • @rinu123
    @rinu123 11 років тому

    I'm a web developer and I didn't know the solution. Thank you very much.

  • @MegaChickenfish
    @MegaChickenfish 6 років тому +1

    Learning about this sort of thing really helps me understand *why* we covered all that stuff in Security class. At first glance it's like "oh jeez, look at all these layers upon layers of authentication, authorization, validation, validation-of-the-validation..." but these sorts of clever attacks are why. I didn't even know this sort of thing was possible.

  • @bunbott
    @bunbott 11 років тому +1

    This guy is amazing! More videos by him please!

  • @rahil471
    @rahil471 11 років тому

    Awesome video,great help.
    I'm always waiting for your new videos .

  • @AmitGadaley17
    @AmitGadaley17 3 роки тому

    Very helpful. I liked both the content and the way you described the CSRF. Thanks!!

  • @Mar_Ten
    @Mar_Ten 6 років тому

    Actually learned this now by the video. Quite interesting and will eb sure to include this in serious projects in the future.

  • @florianmuellerCH
    @florianmuellerCH 10 років тому +1

    Damn. Your /delete?confirm=true statement was a 100% hit. Gotta rename my parameters ;D

  • @hidalginator21
    @hidalginator21 11 років тому

    Great Video. As a novice web developer these videos help immensely. Keep them coming. A video on how to design a site which can be logged into securely would be very helpful.

  • @JonathanAnon
    @JonathanAnon 7 років тому

    Tom is good, a very good presenter.

  • @DannyBurkeBanjo
    @DannyBurkeBanjo 11 років тому

    Love your videos! I will doing web computing in September at uni and these videos are excellent! Thanks

  • @DevonBernard
    @DevonBernard 11 років тому

    Another great video guys, looking forward to more cool explanations. Keep up the awesome work!

  • @TechMetalPenguin
    @TechMetalPenguin 11 років тому +1

    And here's the third one... Tom great as always.
    By the way, with Django framework the way to prevent it is as simple and comfortable as adding {% csrf_token %} inside the form tag =).

  • @Hobo_X
    @Hobo_X 11 років тому

    I love this guy please keep making more videos with him

  • @imrankhan-uo4jy
    @imrankhan-uo4jy Рік тому

    Excellent explanation in simplest terms!

  • @Enriath
    @Enriath 10 років тому +9

    Ohhhhhh, so that's what the nonce thing is. Thanks Tom!

  • @rotamrofsnart
    @rotamrofsnart 11 років тому +1

    Lucky for me, I have learnt this in first class of my education.

  • @TechyBen
    @TechyBen 11 років тому +1

    "A bit more complicated". My new catch phrase. :)

  • @BilgeKarga1
    @BilgeKarga1 4 роки тому

    I didn't even know this for 7 years .

  • @MaxGuides
    @MaxGuides 11 років тому +2

    you request the token with your script
    and later in the script you use that token
    easy if the form is standardized-like deleting enemy facebook pages

  • @dizzymetrics
    @dizzymetrics 11 років тому

    Will Tom be a regular? His bits are great.

  • @ChrizzyWhite
    @ChrizzyWhite 11 років тому

    been waiting for this video

  • @AmiyaPatanaik
    @AmiyaPatanaik 11 років тому

    Awesome...never even thought of such security issue...I think chrome's sandboxing of the tabs won't help here coz I have seen the sessions and cookies are shared across tabs....Keep it coming - love the videos

  • @astanouk
    @astanouk 11 років тому

    You can easily get around the random number thing just by making a PHP request to the site and grabbing that form element and inserting it right into your page! Then the random token will be correct everytime because the data is coming directly from the server.

  • @LucianoHelenodaRosa
    @LucianoHelenodaRosa 11 років тому

    I simply love all the Tom's videos, very well explained.
    Keep going with the good content, Mr. Red T-shirt haha - I don't know if it is intentional or not, so I don't want to be a jerk. :p.

  • @MrAskolein
    @MrAskolein 11 років тому

    Awesome Video, Systems security is to my mind the best subject to do videos on, keep doing that, this is very interesting, very useful ! Keep UP that good work

  • @MichielHaisma
    @MichielHaisma 11 років тому

    It just gets better!

  • @Amdrel
    @Amdrel 11 років тому +2

    I just learned about nonces yesterday and implemented one ;)

  • @magnetar02p.23
    @magnetar02p.23 8 років тому +8

    I know this is not relevant to this video, but can you do a video on elliptic curve RSA cryptography?

  • @888SpinR
    @888SpinR 11 років тому

    FIRST!!! computerphile, teaching web attacks since '13

  • @AceCorban
    @AceCorban 11 років тому +3

    I get the concept of the token, but how does the server know if a token is valid once it gets the request? Since the web is stateless, it creates the form with a random token, then sends it on its way. So how does the server know if a token it gets back is valid? Store valid tokens in memory or a database?

  • @flidrl
    @flidrl 11 років тому +1

    Ya know, if accepting request from other website would work, then the form would likely be accessible by javascript running from the other website as well.
    Which means, my javascript could request the form, look for that random string of characters (fairly easily too) and add it to its spoofed request, meaning we would be back to square one.

  • @aerouk
    @aerouk 11 років тому

    This guy's videos are brilliant! Web security and hacking is so interesting. :)

  • @KhalilEstell
    @KhalilEstell 11 років тому

    Hmmmm, time to add that to my project! :P Thank you Computerphile!

  • @GenericRubbishName
    @GenericRubbishName 11 років тому

    More from this guy!

  • @techtutorish
    @techtutorish 11 років тому +1

    Interesting as always!

  • @nowhereman3814
    @nowhereman3814 9 років тому +10

    So...what the hell does nonce mean in Britain?

  • @jondoe4828
    @jondoe4828 10 років тому

    The real trouble with referers is they're user controlled meaning can be spoofed which is why injecting cryptographic checksum/tokens is the only way.
    This is much better than your SQL injection video. Too high level for me, but good explanation for the laymen.

  • @chriskormaris
    @chriskormaris 7 років тому

    thanks for this magnificent explanation!

  • @kuro68000
    @kuro68000 9 років тому +6

    Why does the camera randomly zoom in some times? it's really distracting.

  • @yinge101
    @yinge101 11 років тому

    Couldn't you get around the one-time key thing by creating a hidden/tiny/offscreen (i)frame for the ‘transfer money’ form on the bank website, and then use JavaScript to automatically submit the form?

  • @Betacak3
    @Betacak3 11 років тому +1

    Speaking of account deletion, it's even safer to create a token and *not* return it directly to the user, but send an e-mail containing a link with this token.

    • @Fuogger
      @Fuogger 11 років тому

      Can you explain this more? I think I get what you're getting at but please explain.

    • @Betacak3
      @Betacak3 11 років тому +1

      Fuogger You may know this from several websites, when you have to click a link inside of an e-mail to confirm your action.

  • @sacredgeometry
    @sacredgeometry 11 років тому

    I love these videos, thank you.

  • @bbsonjohn
    @bbsonjohn 9 років тому +1

    Tom Scott, I want to visit your awesome blog.

  • @CrystalblueMage
    @CrystalblueMage 10 років тому

    Being able to create your own version of a form a send that is a problem in general, as you could also strip out any checks in the original form you don't like.

  • @evenstevens280
    @evenstevens280 11 років тому +1

    This guy is so good. More of him! :D

  • @samramdebest
    @samramdebest 11 років тому +18

    but what if the malicious webpage itself loads the bank site in the background, it can get the token that way.

    • @mart3323
      @mart3323 11 років тому +5

      cross-site scripting is blocked in browsers
      as a simple example, say i have a site with a bunch of livestream embeds, and i set up a script that when i press F2, it scrolls to my favourite one
      As soon as i click inside any of the streams, say the play button.., F2 won't work
      and it'll continue to not work until i click outside again, giving focus back to my own page
      The only way they can load the bank would be to actually load the bank visibly to you, because you're the only one that can interact with it..
      the scripts can't..., not theirs anyway

    • @samramdebest
      @samramdebest 11 років тому +5

      I think that what you are saying is incorrect, i have done some coding with AJAX(Asynchronous JavaScript and XML) and it didn't need to be visible to be able to load.
      and almost every page on the internet gets data from other sites invisible(i once had a chrome extension that showed which site you visited and where they took data from, an average site connected to more than 20 different websites(like for tracking: google analytic)

    • @OKMX5
      @OKMX5 11 років тому +6

      I think that the token will be different because it is another loading/creation of the form.

    • @samramdebest
      @samramdebest 11 років тому +1

      what do you mean other loading/creation of the form, it is not, the site downloads the form and the token, and then sends it back to the bank

    • @samramdebest
      @samramdebest 11 років тому

      oh do you mean, that even for the request of the forum not only the submission needs to be accompany by the token? That would make more sense and would solve that problem, thanks

  • @Kerbobotat
    @Kerbobotat 11 років тому

    Really interesting! But how do you know if your bank, etc. is using the token system? Also, can we get a computerphile video explaining bitcoin?