It's now 2019 and yet IMO this is the best article on CSRF out there 😁
I have this in my favorites and I check it every now and then.
as far as my knowledge goes: there was a bug to add custom headers without a pre-flight in flash in 2013/2014.
it could happen again with any other plugin. Therefore implementing tokens is not only second-line, but should be first-line of defense :)
It looks like the Origin/Referer check would have prevented these though, yeah? (I think these are the Flash hacks that OWASP warned about.)
If you are able to set referer/origin, the check would be useless. The only thing why the check works: you can't set certain headers without a preflight because of CORS restriction.
BUT: you are right. This particular bug does not affect the referer/origin check, because some headers are blacklistet in flash.
Just wanted to display, that it happened before and planing a fail in a security system, because of another software is never a good idea.
So implementing one solution (token), instead of a solution which could break, and one solid one, is more cost effective.
Tokens are implemented in nearly every framework. Using them are most of the time the easier option.
But i like your writing, and that you supply all the information :)
I have been to hogwarts.edu/. Apparently the maintainer has already been severely hacked since the hackers suceeded in taking control of the domain name and unregistering it. So I'm not sure if I should listen to the maintainer because his own security seems lacking.
Wow! How vivid this is! An I the only one who attempt to go to hogwarts.edu? This post is so fun to read!
Very nice topic. And I love your pictures...very cool ;)
A great post on csrf. 👏👏
My old websites have totally been a subject of these attacks o_O
Very well written Richard! Even though I'm not familiar with HP terminology :).
This was great, thanks for writing. Reminds of the Hogwarts IT guy tumblr.
Reading it was VERY interesting. Thanks for sharing this article with us, Richard!
Great story-telling on this technical (and often overlooked) problem! Thanks.
Or you could use unguessable URIs (aka capabilities) and the whole process isn't necessary…
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.