[PortSwigger][Practitioner] - Lab: CSRF where token is not tied to user session
In this lab, the vulnerability was Cross-Site Request Forgery (CSRF), caused by a lack of proper synchronization between the CSRF token and user sessions. The application issued CSRF tokens for all requests without tying them to active user sessions, allowing an attacker to exploit unintended actions on behalf of the victim. The researcher used Burp Suite's Intruder tool to inject a malicious payload into a victim's browser through a phishing email or other means. By exploiting this flaw, the attacker could execute unwanted account changes or data manipulation, as the application accepted user requests without verifying their origin. The impact included unauthorized actions and potential privacy breaches. Remediation includes tying CSRF tokens to active user sessions during token generation. Key lesson: Always ensure proper synchronization between CSRF tokens and user sessions to prevent CSRF attacks. #BugBounty #Cybersecurity #WebSecurity #CSRF #InputValidation
#csrf
Cross-Site Request Forgery (CSRF): A Practical Methodology for Security Testing
This article presents a practical approach to detect Cross-Site Request Forgery (CSRF) vulnerabilities in web applications. The root cause of CSRF is insufficient input validation, which allows an attacker to manipulate user sessions and perform unintended actions on behalf of the victim. The researcher utilized Burp Suite's Intercept feature to intercept a request containing a vulnerable form (e.g., update password) and crafted a malicious payload with a hidden iframe (e.g., <iframe src='https://attacker.com/csrf?id=123'>). By injecting this payload into another website, the attacker triggered the victim's browser to execute the vulnerable form request. The system did not verify the origin of the request, resulting in unauthorized account changes. Potential consequences include data breaches, account takeovers, and privacy violations. The researcher received a reward for reporting this flaw and encouraged developers to implement proper synchronization between CSRF tokens and user sessions, or use modern approaches like Content Security Policy (CSP) and Subresource Integrity (SRI). Key lesson: Always validate user inputs and verify the origin of requests to prevent CSRF attacks. #BugBounty #WebSecurity #CSRF #InputValidation
Tác giả đã tạo mẫu bảo mật mở nguồn (Node/React/Postgres) với tính năng: httpOnly cookie, phân quyền Quản trị/Người dùng, phòng chống CSRF, ghi log đăng nhập và workflow Docker linh hoạt. Mời kiểm tra lỗ hổng hoặc góp ý về cấu trúc dự án #WebDev #Security #PhanQuyen #CSRF #OpenSource #JavaScript #Authentication #Boilerplate #RBAC #Docker #AnToan // Tấm gương phát triển nhanh cho dự án freelance/thông tin 🔐🚀
https://www.reddit.com/r/SideProject/comments/1qlfqa6/i_built_a_reusable_auth_skeleton
iX-Workshop: OWASP Top 10 – Sicherheitsrisiken für Webanwendungen verstehen
Lernen Sie die wichtigsten Sicherheitslücken in Web-Anwendungen kennen und erfahren Sie, wie Sie sich erfolgreich schützen können.
That moment when you spend time hooking up CSRF protection for your frontend and backend... And then realize you don't need it because you're authenticating with Bearer tokens and not cookies anyway. 😅
iX-Workshop: OWASP Top 10 – Sicherheitsrisiken für Webanwendungen verstehen
Lernen Sie die wichtigsten Sicherheitslücken in Web-Anwendungen kennen und erfahren Sie, wie Sie sich erfolgreich schützen können.
🛡️ CSRF-like request token handling in TYPO3
A CSRF-like request token handling is available to mitigate potential cross-site requests on actions with side effects. This approach does not require an existing server-side user session, but uses a nonce as a "pre-session".
#CSRF Protection without Tokens or Hidden Form Fields
https://blog.miguelgrinberg.com/post/csrf-protection-without-tokens-or-hidden-form-fields
🌗 無需權杖或隱藏表單欄位的 CSRF 防護
➤ 告別繁瑣權杖:利用瀏覽器原生標頭構建現代化 Web 安全防線
✤ https://blog.miguelgrinberg.com/post/csrf-protection-without-tokens-or-hidden-form-fields
本文由 Microdot 框架開發者 Miguel Grinberg 撰寫,探討一種跳脫傳統、被稱為「現代化」的 CSRF(跨站請求偽造)防禦機制。過去開發者通常依賴防護權杖(Anti-CSRF Tokens)或隱藏欄位來驗證請求來源,但作者發現利用瀏覽器內建的「提取元數據」(Fetch Metadata)標頭——特別是 `Sec-Fetch-Site`,能更優雅且高效地達成相同目標。作者在文中詳細分享了他在 Microdot 框架中實作此功能的技術細節,包括如何處理子網域的安全性、針對舊型瀏覽器的退卻機制(Fallback),以及如何整合現有的 CORS 設定來簡化驗證邏輯。這項技術不僅簡化了伺服器端的實作,也獲得了 OWAS
#網路安全 #Web 開發 #CSRF 防禦 #瀏覽器安全標頭
iX-Workshop: OWASP Top 10 – Sicherheitsrisiken für Webanwendungen verstehen
Lernen Sie die wichtigsten Sicherheitslücken in Web-Anwendungen kennen und erfahren Sie, wie Sie sich erfolgreich schützen können.
[Перевод] Современный подход к предотвращению CSRF/CORF-атак в Go
Команда Go for Devs подготовила перевод статьи о новом подходе к защите Go-приложений от CSRF/CORF-атак. Автор разбирает, как связка TLS 1.3, SameSite cookies и http.CrossOriginProtection из стандартной библиотеки позволяют отказаться от токенов — но только если соблюдены важные условия. Насколько безопасен такой подход? Разбираемся.
iX-Workshop: OWASP Top 10 – Sicherheitsrisiken für Webanwendungen verstehen
Lernen Sie die wichtigsten Sicherheitslücken in Web-Anwendungen kennen und erfahren Sie, wie Sie sich erfolgreich schützen können.
🔥 CVE-2025-13282 (HIGH): Chunghwa Telecom TenderDocTransfer allows unauth'd file deletion via CSRF & path traversal flaws. Block app/API ports, educate users, and back up data! No patch yet. Details: https://radar.offseq.com/threat/cve-2025-13282-cwe-352-cross-site-request-forgery--6b3e8d3f #OffSeq #CSRF #infosec #vuln
⚠️ CVE-2025-13283 (HIGH): Chunghwa Telecom TenderDocTransfer has a CSRF & path traversal vuln—lets unauth attackers copy/paste files via APIs. Phishing = risk of data leaks & DoS. Restrict & monitor now! https://radar.offseq.com/threat/cve-2025-13283-cwe-352-cross-site-request-forgery--0bcb621a #OffSeq #Vuln #CSRF #InfoSec
El lado del mal - HackedGPT: Cómo explotar "Weaknesses" en ChatGPT para hacer Phishing o Exfiltrar Datos https://www.elladodelmal.com/2025/11/hackedgpt-como-explotar-weaknesses-en.html #ChatGPT #GPT #Phishing #PromptInjection #Bing #CSRF #IA #AI #Ciberseguridad #Hacking
Top Advanced XSS Payloads That Still Work in 2025
This article explores advanced Cross-Site Scripting (XSS) payloads that remain effective in 2025 despite modern security defenses. XSS continues to be a persistent vulnerability due to the complexity of modern web frameworks (React, Vue, Angular) that generate dynamic content with intricate JavaScript behavior patterns. The advanced payloads discussed focus on bypass techniques that overcome common defenses like Content Security Policy (CSP) filters and sanitization libraries. These sophisticated attack vectors leverage encoding obfuscation, DOM event manipulation, and framework-specific vulnerabilities to evade traditional filter-based defenses. The exploitation techniques include payload variations that target complex JavaScript execution contexts, utilizing obscure DOM events, and exploiting implementation flaws in client-side security controls. Modern XSS payloads often combine multiple evasion techniques including character encoding manipulation, filter bypass through context switching, and leveraging browser-specific parsing behaviors. The tools and methodologies mentioned focus on advanced testing frameworks that can identify XSS vulnerabilities in complex web applications. The significance of these payloads lies in their continued effectiveness against inadequate input validation and sanitization implementations. The impact ranges from session hijacking and credential theft to complete client-side system compromise. Bug bounty hunters and penetration testers need to understand these advanced techniques as they represent real-world threats that traditional security measures often fail to detect. The article emphasizes that despite framework improvements, XSS remains a critical vulnerability requiring continuous research and adaptation of both attack and defense strategies. #infosec #BugBounty #Cybersecurity #XSS #WebSecurity #Payload #Exploit #CSRF
https://medium.com/@xmxa-tech/top-advanced-xss-payloads-that-still-work-in-2025-58f11191df8f?source=rss------bug_bounty-5
iX-Workshop: OWASP Top 10 – Sicherheitsrisiken für Webanwendungen verstehen
Lernen Sie die wichtigsten Sicherheitslücken in Web-Anwendungen kennen und erfahren Sie, wie Sie sich erfolgreich schützen können.
Unser praxisnahes Intensivtraining „Hacking Extrem Web-Applikationen“ vermittelt Dir, wie echte Angreifer denken und wie Du Dich wirksam vor ihnen schützen kannst.
Was Dich erwartet:
✅ Realistische Angriffe auf Webanwendungen und Backends
✅ Vollständige Abdeckung der OWASP Top Ten
✅ Hands-on-Labs mit echten Tools und Exploits
✅ Durchführung durch erfahrene Experten für Applikationssicherheit
Themen:
✅ Informationsgewinnung
✅ Angriffe auf Web- und Applikationsserver, auf die Übertragung, Anwendung und das Backend
✅ Behandelte Systeme sind Unix- oder Windows-basierte Webserver, Datenbanken, Application Server, etc.
Für alle, die Applikationssicherheit nicht nur verstehen, sondern erleben möchten.
Melde Dich jetzt an und sichere Dir Deinen Platz:
👉 https://cirosec.de/trainings/hacking-extrem-web-applikationen/
#Webanwendungen #Backends #OWASPTopTen #HandsOnLabs #Applikationssicherheit #Informationsgewinnung #Webserver #TLS #Sessions #SQLInjection #XSS #CSRF #SSRF #CommandInjection #Logikfehler #DateiUploads #XMLInjection #Schwachstellen