5.8K Followers
·
Follow

What SameSite by default means for the future of CSRFs

Image for post
Image for post
Photo by Mak on Unsplash.

CSRF vulnerabilities happen when attackers can initiate forged state-changing requests from a foreign domain. This usually occurs because the user’s browser sends session cookies regardless of where the request originates from.

Besides implementing CSRF tokens to ensure the authenticity of requests, another way of protecting against CSRF is SameSite cookies.

SameSite Cookies

A web application instructs the user’s browser to set cookies via a Set-Cookie header. For example, this header will make the client browser set the value of the cookie PHPSESSID to UEhQU0VTU0lE:

Set-Cookie: PHPSESSID=UEhQU0VTU0lE

Besides the basic “cookie_name=cookie_value” designation, the Set-Cookie header allows several optional flags you can use to protect your users’ cookies. One of them is the SameSite flag, which helps prevent CSRF attacks. When the SameSite flag on a cookie is set to Strict, the client’s browser will not send the cookie during cross-site requests. …


Strategies to finally make people answer your technical questions

Image for post
Image for post
Photo by Rohit Farmer on Unsplash.

Have you ever asked a question on the internet (on Twitter, Reddit, Stack Overflow) just to have it completely ignored?

Lately, I have received many questions about cybersecurity via email and Twitter DMs. And honestly, I am guilty of ignoring quite a few of them. The unfortunate truth is that there are a lot of people online asking technical questions and a much smaller number of people answering questions. When it comes down to it, there is simply not enough time to answer every question in detail.

However, there are things you can do to help people help you on the internet. …


Practical fuzz testing to discover common web vulnerabilities

Image for post
Image for post
Photo by Michael Dziedzic on Unsplash.

Fuzzing is a way of finding bugs using automation. It involves providing a wide range of invalid and unexpected data to an application and then monitoring the application for exceptions. In particular, web application fuzzing is the field of fuzzing web applications to expose common web vulnerabilities, like injection issues, XSS, and more.

I’ve discussed how fuzzing can help you discover XSS and SQL injections automatically in an earlier article. If you haven’t already, please take a look to understand the basics of fuzzing!

But how do you fuzz a web application effectively? And how can you utilize tools to achieve your goals? Today, we’ll take a practical look at how to fuzz for the most common web vulnerabilities using the open-source tool Wfuzz. …

About

Vickie Li

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store