mastodon.world is one of the many independent Mastodon servers you can use to participate in the fediverse.
Generic Mastodon server for anyone to use.

Server stats:

9.5K
active users

#csrf

1 post1 participant0 posts today

Docuware haz a whole lotta not giving a shit about CSRF.

"Hey, you are vulnerable to CSRF, see."

"HERE'S THE WRONG INSTRUCTIONS TO ADD SAMESITE TO THE COOKIE!"

"Those are wrong, and Samesite doesn't really fix CSRF, what about this auth header you are ignor"

"WE ARE FOLLOWING OWASP STANDARDS"

"Well, no, OWASP does mention samesite, and it's weaknesses, but this is asp.net, CSRF protection is built in if it is just enab"

"HERE'S THE WRONG INSTRUCTIONS TO ADD SAMESITE TO THE COOKIE!"

"We went over this, that doesn't wo"

"BUY OUR CLOUD VERSION!"

Fuck off.

Заставляем работать демонстрационный пример из официальной документации npm пакета csrf-csrf

Ничто так не бесит при изучении новых пакетов/библиотек, как неработающие примеры из официальной документации. До последнего не веришь, что авторы библиотеки так лоханулись с исходниками примеров. Считаешь, что программисты потратили кучу своего времени на разработку, тестирование и продвижение пакета. И что они не могли выложить неработающие примеры. А если примеры не работают, то значит что-то не так у тебя. То ли VPN новый глючит, то ли антивирус душит библиотеку, то ли устаревшие версии какого-то ПО/драйверов/библиотек конфликтуют. В данной статье рассказывается о моем опыте делания рабочим примера npm пакета 'csrf-csrf' из официальной документации. Кому нужно срочно - вот github с исходниками: github.com/korvintaG/csrf-csrf . Важно - обращайте внимание на комментарии, особенно те, в которых много звездочек.

habr.com/ru/articles/869292/

GitHubGitHub - korvintaG/csrf-csrf_demo: Fixed working example from the official npm package csrf-csrfFixed working example from the official npm package csrf-csrf - korvintaG/csrf-csrf_demo

For the German OWASP Day in Leipzig on November 13 we're excited to announce the first round of speakers/ talks which the program committee determined yesterday.

* @freddy (builds security for the web as a security engineer and manager for Mozilla Firefox) will present "Modern solutions against Cross-Site Leaks (xs-leaks) and #CSRF"

* Shubham Agarwal will raise his voice against "Double-Edged Crime: How Browser Extension Fingerprinting Might Endanger Users and Extensions Alike"

* Nicolas Schickert, Ole Wagner and Matthias Göhring will tackle most companies problem child "#SAP from an Attacker’s Perspective – Common Vulnerabilities and Pitfalls"

* @bkimminich is celebrating the "OWASP Juice Shop 10th anniversary" . There'll be also a Juice Shop training on the 12th!

* While Dr. Daniel Fett will be talking about "How (Not) to Use OAuth in 2024", Kristina Yasuda will tell you "The Crucial Role of Web Protocols and Standards in Digital Wallet Ecosystems" (EUDI Wallet)

* @TimPhSchaefers will demystify #NIS2 and hopefully #NIS2UmsuCG

* Stephan Pinto Spindler will share his experiences wrt "Network Fingerprinting for Securing User Accounts"

* Thomas Barber will give us a short insights into project #foxhound, a taint tracking project using a patched firefox .

More to announced soon! Expect more excellent topics to be announced during the next days!

> "The GPL is upstream-centric, the MIT license is downstream-centric."
> #CSRF and clickjacking are textbook examples of problems with global namespaces that would never happen in a capability system.
service providers can take #GPL software, make local improvements to it, and then sell the services without giving any of their changes back. Amazon makes billions of dollars per year from the #Xen Project (GPLv2), and hasn't submitted any patches in several years. I doubt that's because they're using stock upstream Xen releases with no modifications

lwn.net/Articles/681028/

lwn.netRust's Redox OS could show Linux a few new tricks (InfoWorld) [LWN.net]

When you are handling user data do you sanitize it...

Update: To be clear, sending data to a database is considered "use"; it is a given that you sanitize data before putting it in SQL, or HTML

(Boost for increased sample size)