Defense Against the Dark Arts: CSRF Attacks

Richard Feldman on April 17, 2017

After an unspecified "werewolf incident" we have become the new maintainer of the web app. Our first day on the job begins with Pro... [Read Full]
markdown guide

It's now 2019 and yet IMO this is the best article on CSRF out there 😁
I have this in my favorites and I check it every now and then.


as far as my knowledge goes: there was a bug to add custom headers without a pre-flight in flash in 2013/2014.

it could happen again with any other plugin. Therefore implementing tokens is not only second-line, but should be first-line of defense :)


It looks like the Origin/Referer check would have prevented these though, yeah? (I think these are the Flash hacks that OWASP warned about.)


If you are able to set referer/origin, the check would be useless. The only thing why the check works: you can't set certain headers without a preflight because of CORS restriction.

BUT: you are right. This particular bug does not affect the referer/origin check, because some headers are blacklistet in flash.
Just wanted to display, that it happened before and planing a fail in a security system, because of another software is never a good idea.

So implementing one solution (token), instead of a solution which could break, and one solid one, is more cost effective.
Tokens are implemented in nearly every framework. Using them are most of the time the easier option.

But i like your writing, and that you supply all the information :)


I have been to Apparently the maintainer has already been severely hacked since the hackers suceeded in taking control of the domain name and unregistering it. So I'm not sure if I should listen to the maintainer because his own security seems lacking.


Wow! How vivid this is! An I the only one who attempt to go to This post is so fun to read!


Very nice topic. And I love your pictures...very cool ;)


My old websites have totally been a subject of these attacks o_O


Very well written Richard! Even though I'm not familiar with HP terminology :).


This was great, thanks for writing. Reminds of the Hogwarts IT guy tumblr.


Reading it was VERY interesting. Thanks for sharing this article with us, Richard!


Great story-telling on this technical (and often overlooked) problem! Thanks.


Or you could use unguessable URIs (aka capabilities) and the whole process isn't necessary…

code of conduct - report abuse