CSRF: Signed Double Submit Cookie & ‘Referer’ validation vs MITM and vulnerable subdomains

I have been researching various techniques for preventing CSRF attacks, such as SOP, SameSite, Secure, Referer validation, and CSRF Tokens, and their potential bypasses. During my research, I discovered the following vulnerabilities:

A we… Continue reading CSRF: Signed Double Submit Cookie & ‘Referer’ validation vs MITM and vulnerable subdomains

Can strict ‘Referer’ validation also be bypassed with vulnerable subdomains?

I have been researching various common techniques for preventing CSRF attacks, such as SameSite, Secure, and CSRF Tokens, and how they can be bypassed. I found that the following vulnerabilities exist:

A website’s subdomain or sibling dom… Continue reading Can strict ‘Referer’ validation also be bypassed with vulnerable subdomains?

Why famouse frameworks like django (And probably Rails) use both synchronizer pattern and Origin/Referer header checks for preventing CSRF attacks?

I see in the source code of Django that they do use both synchronizer token pattern and Origin/Referer header checks. I understand that if you are using the double-submit technique via cookie the following attack will work and you need to … Continue reading Why famouse frameworks like django (And probably Rails) use both synchronizer pattern and Origin/Referer header checks for preventing CSRF attacks?

Is it recommended to set Referrer-Policy explicitly when the browsers already has a default policy?

I wanted to explicitly define the referrer-policy as "strict-origin-when-cross-origin" in my web application. However, "strict-origin-when-cross-origin" is the browser’s default policy when no referrer-policy is set exp… Continue reading Is it recommended to set Referrer-Policy explicitly when the browsers already has a default policy?

How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?

Take an example of google maps. google maps provides a javascript client SDK, which means any web app running javascript can access the google maps sdk. You need to use an API_KEY so that google can rate limit your requests, and apply some… Continue reading How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?

How some sites prevent cross-site requests through referrer although there are redirections allowed

I read about referrer header that some sites use to allow only requests made by the pages of the site. So if I make a page hacker.com, and let this page make a request to https://twitter.com/i/flow/add_phone , twitter will refuse this requ… Continue reading How some sites prevent cross-site requests through referrer although there are redirections allowed