🛡️ CSRF-like request token handling in TYPO3

A CSRF-like request token handling is available to mitigate potential cross-site requests on actions with side effects. This approach does not require an existing server-side user session, but uses a nonce as a "pre-session".

➡️ https://docs.typo3.org/m/typo3/reference-coreapi/13.4/en-us/ApiOverview/Authentication/AuthenticationService/CSRFlikeRequestTokenHandling.html

#TYPO3 #security #csrf

iX-Workshop: OWASP Top 10 – Sicherheitsrisiken für Webanwendungen verstehen

Lernen Sie die wichtigsten Sicherheitslücken in Webanwendungen kennen und erfahren Sie, wie Sie sich erfolgreich schützen können.

https://www.heise.de/news/iX-Workshop-OWASP-Top-10-Sicherheitsrisiken-fuer-Webanwendungen-verstehen-11229186.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#XSS #CSRF #IT #iXWorkshops #OWASP #news

If you're handling PHP sessions, don't ignore this:

`lifetime` → how long the session lives
`domain` → who can use it
`path` → where it applies
`secure` → HTTPS only
`httponly` → out of JS reach
`samesite` → CSRF defense

small details, big differences.

#php #session #csrf #https

How I Found a CSRF Vulnerability That Could Take Over Student Accounts on an Educational Platform
This vulnerability was a Cross-Site Request Forgery (CSRF) attack, allowing malicious users to hijack student accounts on an educational platform by manipulating a sensitive account management action (changing passwords) through an unsuspecting victim's browser session. The application failed to verify that the origin of the request was the legitimate user, instead relying on session cookies for authentication without additional CSRF protection. By using a crafted payload within a link, the researcher exploited the flawed security mechanism by forcing the victim's browser to make a password change request on behalf of the attacker. The impact was significant as unauthorized individuals could gain access to sensitive student accounts. The researcher received $500 as part of the bug bounty program, and the platform responded by implementing CSRF tokens for account management actions to prevent future attacks. Key lesson: Always implement CSRF tokens to protect sensitive user actions. #BugBounty #Cybersecurity #WebSecurity #CSRF

https://medium.com/@s3clipt0r/how-i-found-a-csrf-vulnerability-that-could-take-over-student-accounts-on-an-educational-platform-6e65bc70816f?source=rss------bug_bounty-5

Protéger son app PHP contre les attaques CSRF sans jetons partout, c'est possible.

3 techniques combinées (Referer, POST only, SameSite=Lax), comparées en PHP pur, Laravel, Symfony et Temma.

https://www.geek-directeur-technique.com/2026/03/18/csrf-temma-vs-laravel-vs-symfony

#PHP #Security #CSRF #laravel #symfony #temma

Protection anti CSRF à l'aide du header `Sec-Fetch-Site`.

🔗 https://blog.miguelgrinberg.com/post/csrf-protection-without-tokens-or-hidden-form-fields

#csrf #HTTP #sécurité

AI Red Teaming: спор с Grok — Часть 2. За пределами sandbox: CSRF, WAF bypass и privilege escalation

Sandbox - эфемерный, умирает после сессии. Мне нужны были уязвимости на продакшн-инфраструктуре. Нашёл: zero-click CSRF на все 11 методов billing API через gRPC + text/plain, обход Cloudflare WAF одним заголовком, и создал management key с 50 привилегиями. Всё до сих пор на серверах xAI.

https://habr.com/ru/articles/1005302/

#нформационная_безопасность #CSRF #gRPC #WAF #Cloudflare #privilege_escalation #xAI #Grok

Une vulnérabilité Chromium en pure CSS qui permet de récupérer des données sensibles comme le token CSRF (CVE-2026-2441)
https://www.sitepoint.com/zero-day-css-cve-2026-2441-security-vulnerability/

Zero-Day CSS: Deconstructing CVE-2026-2441

#Chrome #Chromium #CSS #CSRF #CVE