Explore the intricacies of request forgery on the web in this comprehensive 47-minute keynote presentation by Jim Manico, Founder and CEO of Manicode Security. Delve into various forms of request forgery, including Cross-Site Request Forgery (CSRF), Server-Side Request Forgery (SSRF), and Clickjacking. Learn about real-world attack scenarios, such as the Netflix request forgery and the Capital One case, and discover effective defensive strategies like nonce tokens, SameSite cookies, and the double-cookie submit pattern. Gain valuable insights into protecting web applications from these security threats, including best practices for URL encoding, origin header checks, and X-Frame-Options implementation. Enhance your understanding of web security and equip yourself with the knowledge to build more secure applications in this OWASP Foundation-managed talk.
Keynote: Request Forgery on the Web - SSRF, CSRF and Clickjacking
Overview
Syllabus
Introduction
What is request forgery
Examples
Crosssite request forgery
Netflix request forgery
Single signon
Traditional Web Apps
Get Requests
Double Submit
Browser Standards
Same site lacks
Cookie defense
Check origin header
Control origin header
Crosssite scripting
Twitter attack
Crosssite request forgery cheat sheet
Serverside request forgery
Capital One case
From another angle
SSRF attack
How to fix
URL Encoding
SSRF
Summary
Questions
Web Frameworks
Service on request forgery
Clickjacking
XFrameOptions
Taught by
OWASP Foundation
Related Courses
-
OWASP Top 10 - A10:2021 - Server-Side Request Forgery (SSRF)
-
The Past, Present, and Future of Cross-Site and Cross-Origin Request Forgery
-
Popular Web Attacks - XSS, CSRF, SSRF, SQL Injection, MIME Sniffing, Smuggling and More
-
Surfing the Sea and Drowning in Tabs - An Introduction to Cross Site Request Forgery
-
The Past, Present, and Future of Cross-Site - Cross-Origin Request Forgery
-
Learning Server Side Request Forgery Basics Using Portswigger's Web Security Academy
