Cross-Site Request Forgery Prevention Cheat Sheet¶

To start with, a quick recap on what Cross-Site Request Forgery is:

In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data…

I'm submitting a... [ ] Regression (a behavior that used to work and stopped working in a new release) [X ] Bug report [ ] Feature request [ ] Documentation issue or request [ ] Support request => ...

Rails protects you against CSRF attacks, but it gives you a lot of customisation on how you want to react to them. It can be a great thing as you can have your own strategies, but it can also lead to security issues.

TL;DR Nope, I didn't find a major breach, just an interesting detail in reCAPTCHA's design. CAPTCHA ain't no good for CSRF I was told on...

Being involved in different projects where web technologies are used, I have to make sure that AppSec related security nightmares are avoided. One of those security nightmare - and in my own oppinion the most complicated one to explain to a non-sec person - is CSRF. I won’t go into details since these are freely available. Furthermore I would like to focus on the countermeasures one would implement to prevent CSRF.

Learn to configure CSRF protection in a Clojure / Pedestal App

I'm going to explain Cross-site scripting (XSS) & Cross-site request forgery (XSRF/CSRF) to myself.

API authentication can be tricky. OAuth 2 is the reigning ruler of the various standards that you might consider, but it's complex and difficult to implement—even with the great packages available (League and Luca among them). We're talking many routes, dozens of migrations, complicated configuration, and much more—even with amazing packages trying to simplify the situation as much as possible. Laravel Passport is native OAuth 2 server for Laravel apps. Like Cashier and Scout, you'll bring it into your app with Composer. It uses the League OAuth2 Server package as a dependency but provides a simple, easy-to-learn and easy-to-implement syntax. Laying the groundwork in Laravel 5.2 In Laravel 5.2, we got a new structure in our authentication system: multiple auth drivers. This means that, instead of there being a single auth system that is responsible for one app at a time, you can apply different auth systems to different routes (or in different environments). Out of the box, we got the same auth system we've always had and a new token-based auth system for APIs. Laravel 5.2's token system was fine enough—but it wasn't really any more secure than normal password login. It was there, most importantly, to lay the groundwork for packages like Passport, which essentially adds a new "passport" driver you can use in your app to make certain routes OAuth2 authed. Installing Passport Follow these steps on any Laravel 5.3 app and you'll be on your way to the easiest OAuth 2 server possible: Install Passport via Composer. bash composer require laravel/passport Go to config/app.php, and add Laravel\Passport\PassportServiceProvider to your providers list. Run the new migrations; because of 5.3's multiple migrations paths, the new Passport migrations will be included in your normal migration path. bash php artisan migrate Run php artisan passport:install, which will create encryption keys (local files) and personal/password grant tokens (inserted into your database) Go to your Use

Most web applications today use browser cookies to keep a user logged in while she is using the application. Cookies are a decades-old device and they do not stand up well to security threats that have emerged on the modern web. In particular, cookies are vulnerable to cross-site request forgery. Web applications can by made more secure by using OAuth for session authentication…

Katie Fenn opens the door on our 2018 season by transporting us back to the turn of the century when new lessons were being learned about web security. Those who don’t learn from the past are condemned to repeat it, so fasten up your winter coat and let Katie lead you through some of the darker parts of the forest.