📕 Full case study:
📧 Subscribe to BBRE Premium: bbre.dev/premium
✉️ Sign up for the mailing list: bbre.dev/nl
📣 Follow me on Twitter: bbre.dev/tw
This video is a part of the CSRF case study where I extracted all the disclosed CSRF reports from the Internet and I studied them to adjust my CSRF bug hunting methodology. This free part of the case study covers the SameSite attribute and its impact on reports.
🖥 Get $100 in credits for Digital Ocean: bbre.dev/do
Reports mentioned in the video:
/ facebook-sms-captcha-w...
github.com/cymtrick/lol/blob/...
yeuchimse.com/csrf-protection...
bugs.xdavidhu.me/google/2021/...
• Creating a KZitem TV ...
ermetic.com/blog/azure/emojid...
gitlab.com/gitlab-org/gitlab/...
• Client-side path trave...
webs3c.com/t/csrf-leads-to-ac...
Timestamps:
00:00 Intro
00:40 GET-based CSRF
2:43 CSRF reports by year
4:40 Reports that don't mention SameSite
7:39 SameSite=None
9:08 Client-side path traversal
11:41 Exploiting Chrome's 2-minute attack window
Негізгі бет Ғылым және технология CSRF - how to find it in 2024? CSRF bug bounty case study
Пікірлер: 30