Thursday, July 21, 2022 – 1 pm (UTC -4)
No. Not the web version of tossing a steak to the guard dog so it lets you by. I mean, “Setting cookies so that your browser doesn’t include them in malicious requests (and also a bit about other ways to pass authentication tokens),” but that’s way too many words for a title, no matter how you slice it.
The “secure” flag keeps cookies out of cleartext traffic. The “HttpOnly” flag makes cookies inaccessible to scripts. You probably know something about those. Do you know how the “SameSite” parameter works? It can solve your cross-site request forgery problems in a much simpler way than any of the traditional anti-CSRF defenses.
Back up. It’s not just about flags on cookies. What about authentication for APIs? What does “defeating cross-site forgery attacks” look like when your webapp is API-based? Is it the same? Do we need to worry about CSRF when we’re talking about APIs?
The fundamentals: always there, always relevant, and so easy to overlook. Let’s look at how cross-site attacks actually work and how your browser’s behavior can be both the cause and the solution.
Chat with your fellow attendees in the Infosec Knowledge Sharing Discord server here: https://discord.gg/fr5wqbF — in the #webcast-live-chat channel.