Protéger son app PHP contre les attaques CSRF sans jetons partout, c'est possible.

3 techniques combinées (Referer, POST only, SameSite=Lax), comparées en PHP pur, Laravel, Symfony et Temma.

https://www.geek-directeur-technique.com/2026/03/18/csrf-temma-vs-laravel-vs-symfony

#PHP #Security #CSRF #laravel #symfony #temma

Protection anti CSRF à l'aide du header `Sec-Fetch-Site`.

🔗 https://blog.miguelgrinberg.com/post/csrf-protection-without-tokens-or-hidden-form-fields

#csrf #HTTP #sécurité

AI Red Teaming: спор с Grok — Часть 2. За пределами sandbox: CSRF, WAF bypass и privilege escalation

Sandbox - эфемерный, умирает после сессии. Мне нужны были уязвимости на продакшн-инфраструктуре. Нашёл: zero-click CSRF на все 11 методов billing API через gRPC + text/plain, обход Cloudflare WAF одним заголовком, и создал management key с 50 привилегиями. Всё до сих пор на серверах xAI.

https://habr.com/ru/articles/1005302/

#нформационная_безопасность #CSRF #gRPC #WAF #Cloudflare #privilege_escalation #xAI #Grok

Une vulnérabilité Chromium en pure CSS qui permet de récupérer des données sensibles comme le token CSRF (CVE-2026-2441)
https://www.sitepoint.com/zero-day-css-cve-2026-2441-security-vulnerability/

Zero-Day CSS: Deconstructing CVE-2026-2441

#Chrome #Chromium #CSS #CSRF #CVE

Guillermo Rauch (@rauchg)

@grok에게 CSRF(크로스 사이트 요청 위조)를 Aiden에게 설명해주고, /logout 엔드포인트가 GET이면 안 되는 이유, Next(Next.js)에서 이를 구현하는 것이 왜 어려운지 및 프레임워크가 왜 이 패턴에서 벗어나도록 유도하는지 설명해달라는 요청입니다. 또한 이런 방식으로 과시(clout)를 쫓는 것은 바람직하지 않다는 경고를 포함합니다. 개발 보안·프레임워크 설계 관련 실무적 지침 요청입니다.

https://x.com/rauchg/status/2023456541630996501

#security #csrf #nextjs #grok

huh #mozilla #firefox creates completely unique addon uuids in every deployment, and include this in the "Origin" header of HTTP requests initiated by the addon:

https://hister.org/posts/firefox-extension-ids-the-bad-and-the-ugly/

this sucks if you want to avoid #CSRF attacks and it is a massive #GDPR violation. Something for the @EDPS to keep an eye on...

[PortSwigger][Practitioner] - Lab: CSRF where token is not tied to user session
In this lab, the vulnerability was Cross-Site Request Forgery (CSRF), caused by a lack of proper synchronization between the CSRF token and user sessions. The application issued CSRF tokens for all requests without tying them to active user sessions, allowing an attacker to exploit unintended actions on behalf of the victim. The researcher used Burp Suite's Intruder tool to inject a malicious payload into a victim's browser through a phishing email or other means. By exploiting this flaw, the attacker could execute unwanted account changes or data manipulation, as the application accepted user requests without verifying their origin. The impact included unauthorized actions and potential privacy breaches. Remediation includes tying CSRF tokens to active user sessions during token generation. Key lesson: Always ensure proper synchronization between CSRF tokens and user sessions to prevent CSRF attacks. #BugBounty #Cybersecurity #WebSecurity #CSRF #InputValidation

https://medium.com/@Javiki/portswigger-practitioner-lab-csrf-where-token-is-not-tied-to-user-session-ccdf23b43f4b?source=rss------bug_bounty-5