Collaborate Disseminate
I have been researching various techniques for preventing CSRF attacks, such as SOP, SameSite, Secure, Referer validation, and CSRF Tokens, and their potential bypasses. During my research, I discovered the following vulnerabilities:
I have been researching various common techniques for preventing CSRF attacks, such as SameSite, Secure, and CSRF Tokens, and how they can be bypassed. I found that the following vulnerabilities exist:
A website’s subdomain or sibling dom… Continue reading Can strict ‘Referer’ validation also be bypassed with vulnerable subdomains?
I see in the source code of Django that they do use both synchronizer token pattern and Origin/Referer header checks. I understand that if you are using the double-submit technique via cookie the following attack will work and you need to … Continue reading Why famouse frameworks like django (And probably Rails) use both synchronizer pattern and Origin/Referer header checks for preventing CSRF attacks?
I’ve discovered that it is possible to suppress sending the Referer header when using Firefox by specifying a particular value in about:config.
Is it also possible to suppress sending the Origin header?
I wanted to explicitly define the referrer-policy as "strict-origin-when-cross-origin" in my web application. However, "strict-origin-when-cross-origin" is the browser’s default policy when no referrer-policy is set exp… Continue reading Is it recommended to set Referrer-Policy explicitly when the browsers already has a default policy?
the problem:
Having URL parameters in a web page URL address to add functionality to a website (authenticate/authorize showing stuff in the UI, being used in further http requests on load, etc.) can pose a security risk because when an end… Continue reading window.history.pushState as a solution to document.referer
Take an example of google maps. google maps provides a javascript client SDK, which means any web app running javascript can access the google maps sdk. You need to use an API_KEY so that google can rate limit your requests, and apply some… Continue reading How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?
I have been reading about the security and performance implications of rel="noopener" and rel="noreferrer" in links with target="_blank". These are some of the observations:
if you open a link in a new tab fr… Continue reading using rel="noreferer" without rel="noopener" or without target="_blank"
I read about referrer header that some sites use to allow only requests made by the pages of the site. So if I make a page hacker.com, and let this page make a request to https://twitter.com/i/flow/add_phone , twitter will refuse this requ… Continue reading How some sites prevent cross-site requests through referrer although there are redirections allowed
For a long time, I was so convinced that 127.0.0.1/localhost-hosted webpages, that is, with URLs such as:
http://127.0.0.1/MySecretControlPanel/sensitive.php?stuff=goes&here=dude
… did not send the “HTTP referrer” header when you … Continue reading Why did browser authors not make 127.0.0.1/localhost-hosted webpages skip the referrer?