วีดีโอ

Thanks for the feedback and you're absolutely right. The intention of this video is to be an introduction to the topic and lead to further potential videos based on feedback/questions that come up in response. I'm glad to hear you're already very knowledgeable on the topic 👍

@@clarkio Hi, thanks for the response. I didn't mean to be rude and I am not very well knowledgeable, but it would be nice to have more hints to advanced topics and where to learn more etc. I guess its a hard line to walk on between not being boring and being too shallow. Anyway this video made me watch some of your others vids which are a bit more in depth and they helped me a ton, thanks!

Are you interested in seeing something that goes more in-depth on the topic?

@clarkio of course, each of the methods you mentioned could have it's video were your start building an app with python or js add the code, run the app to see for example how to using Oauth2 works, next time add CORS until we have a full app with all features implemented and running.

Yes it's been added in the description here now and is in the original main video this clip is from. Here is the direct link so you don't have to dig for it further: th-cam.com/video/QZWPdJUwxls/w-d-xo.html

@@clarkio Thanks!

no, the URL may ALWAYS come from the client, thats how the internet works (just put it into the address line, you're done). The issue is that the Serverside accepts it without checking if it was generated and its likely there is no appropriate Authorization used for a specific sideproject (or maybe even the same authorization codes over multiple projects), and most likely the projectId is just some numerically increasing code. you can figure out easily (project 1, project 2 etc). So you can steal the token you generate from project 1 and use it to access project 2.

​@@ZeruelBWelp, clearly what I said was ambiguous. Thanks, that is what I meant. Thanks for expanding.

I think the point is that AI be passing inputs like that all the time… so imagine all the “devs” that are just using AI to fake skills, not knowing why what AI is doing is wrong.

@@jobjobbington6884 Yes that code was generated by AI. You can see more context about how it came to be from Web Dev Cody's video here: th-cam.com/video/QZWPdJUwxls/w-d-xo.html

2nd this

@comosaycomosah are you having this same issue? What resources have you found (youtube channels, blogs, reports, websites, etc.) that helped you out the most? My major issue is that I can read 500 page cybersecurity/bug hunting/hacking/pentesting books day after day but unless I can see an example or do it physically (follow along), it just seems to be forgotten. There is so much information needed for any part of cybersecurity. I could spend years on just xss or xxe or ssrf... it's just a lot. So how did you manage this? (If any of this applies to you that is)

@@Trosshack I'm like this too I have to to do the problems myself to actually learn, watching yt channels is almost pointless I try and do things like try hackme and hackthebox another thing you can do is set up your own servers amd pentest on them

@@Trosshack I think my subscriber list is public I cant really think of many good ones right off but I've noticed a trend even good channels like loi llang yang has been shit lately. Zsecurity is good yt channel

@@comosaycomosah I 100% agree.. I really like zsecurity and also that yang hasn't made content like he used to because he taught me a lot in his early stuff... I'll just keep practicing.. in cybersecurity it seems that practice practice practice is key to understand it fully. Books are good for refreshing your knowledge or reference the information... otherwise I seem to forget 80% of the details.

Thank you so much for the comment! I'm glad to hear you found this valuable 👍

​@@clarkio You're very welcome! I'm always excited to support your great content. Keep up the fantastic work! 👍

Hmm without further context it's hard to definitively say yes or no but it sounds like yes that would help ensure the request is being done intentionally by someone and not maliciously by a bad actor. Essentially, when it comes to CSRF, having a way to validate the source of the request is key to mitigating the vulnerability. One common way to mitigate CSRF is using what's called the Synchronizer Token Pattern. That involves create a unique and random token that is included in the request and the server validates it before handling the request further.

Appreciate the feedback Chuck and I definitely understand disliking that sort of thing. What are the types of thumbnails that you prefer or find yourself clicking on more then? I'm continuously learning how things work on YT and lean on a partner of ours to help with the thumbnails so it'd be super helpful to hear your suggestions and discuss this further with them.

I didn't have it available before but you can now check it out under my repo here: github.com/clarkio/ai-code-security/blob/main/cursor/public/script.js

Thank you too for the question that inspired this video 👍

Also did this help answer your question? Do you have any further questions that come to mind? Hope it helped

@@clarkio Thanks. It did help. I will let you know if I have any further questions .

🤣🤣🤣

Glad to hear that!

@@clarkio only thing i dislike is how fast tokens go away

Questions are definitely welcomed. The short answer is any time there is data that is not validated for the context in which it's intended to be used. Essentially, always question those areas and assume it *could* be vulnerable to XSS. I hope that helps and feel free to share any further questions you have.

@@clarkio thank you. Fantastic advice. I also had a question about the software you use.. how accurate is it opposed to other automated tools?

@@Trosshack hmm that's a tough question for me to answer because I'm not as experienced with other tools and therefore don't want to comment without having given them a fair review first. What I can confidently say is Snyk continuously works hard on being accurate while also limiting noise for developers and security teams.

That's a great question and I can look into going deeper on the topic in a follow-up video if you'd like. However the quick/short answer is that CSRF happens due to trust from the client (for example your browser) to the server and SSRF happens due to trust from the server to another server/API. So for CSRF an attacker forges requests from the client to the server whereas for SSRF an attacker forges requests from the server to another dependent server or service/API. Hope that helps and let me know if you have further questions.

I would really appreciate more detailed video of this topic from you. Thanks.

@@mako13937a hey heads up that a video on this is in progress. It'll likely be published on Monday October 28

@@clarkio Thanks.

Glad to hear that

🤣🤣🤣

Thanks for pointing that out. Missed it before

Ha yea just messing around saying that. Good to have competition

Fair enough. Personally idk that I will fully switch but I’m enjoying trying it out

You have a point. I think if it’s got features that pull people away from VS Code though then it’s a competitor

Ah shoot yea thanks for pointing that out

But, looking at the linked video title, AI is :)

you underestimate how stupid people can be

@@potatoes1549 ye but, stupid people wouldnt even learn how the <head> tag works so i doubt they'll make somethinglike this anytime soon

@@klh_io what's the AI trained on?

Guess it should be removed from the OWASP top 10 then...

@@clarkio I dunno I never found a bug outside of labs 😔

same question, looks beautiful

@@DexFlex_YT- It's called Deep Purple: marketplace.visualstudio.com/items?itemName=mel-brown.deep-purple

Hey that's cool to hear you're learning programming. I'm sure you'll get there and I'm here if you have questions so don't hesitate to share them. Or if you'd like you could join our Discord community to learn more about security and programming: discord.com/invite/NXuz63GmUt

Hey glad to hear you enjoyed the video and totally understand about the color theme. What's a color theme you really enjoy using? I can try it out in a future video.

@@clarkio nahh it's okay, I was bothered by some of the text color that's really hard to read in purple.. but if you really like purple, I saw an Evangelion theme but it was for neovim. I use the "Bamboo" color theme on my neovim. It's nature / forest based theme.

@@clarkioi actually really like it, but the theme is going to be a bit hard for some people to read

@@pietraderdetective8953 I kinda like purple but mostly going for consistency with the branding in these videos. I'm assuming you mean this Bamboo color theme? github.com/ribru17/bamboo.nvim That looks kinda similar to the default theme in VS Code. I did find a more green theme called Dark Green Jungle I'm kinda liking: github.com/AaBbdev29/Dark-Green-Jungle

Thanks! Glad to hear that

I'm using Visual Studio Code (VS Code) and the theme is called Deep Purple: marketplace.visualstudio.com/items?itemName=mel-brown.deep-purple

Awesome to hear and thanks for sharing

Nice I like that one

Very glad to hear that!

This comment made my day! Thanks so much for sharing. We'll definitely be keeping this up. Appreciate the encouragement👍

100%

I can understand not wanting to download yet another package. So yea if you want to roll out your own mitigation code to prevent CSRF attacks that works too. However, did you mean CSRF instead of CSP?

CSRF is only one area of content security. If you are worried about CSRF on a note taking app, then you might as well check for other browser side channel attacks. Can't wait to see this 'AI' figure out how to implement XSS vulnerabilities next.