SOP doesnt allow you to send requests cross-sites. In SOP there is the letter O, which stands for Origin. An origin is not a site, those are two different concepts. And by definition, SOP does not protect from CSRF. It protects from COW (Cross Origin Writes). I like the energy and the enthusiasm, we need that in the field, but if you want to present something and don't want to sound like you dont know what you're talking about, I would suggest you do your homework before. Thank you for sharing anyway.
Actually he is right , If the content-type was application/json this would be considered as not-simple request for the browser and would require a preflight request which would block the XS-search(Get based CSRF) request because its not a trusted origin
@@cowid I'm aware of my comment bro, If there is anything wrong with his concepts then you can mention the timeline and explain your opinion ,otherwise I'm not seeing what are you pointing for
@@baraamansi7637 I'm not your bro son, for one thing. Secondly, it's not a coNcEpT problem. It's a terminology problem. Words and acronyms have meaning. Throwing a bunch of acronyms around without understanding what they entail makes you sound like someone who does't fucking know what you're talking about. For the timeline, you can refer to the entire video that is pretty much glib the entire time. To answer specifically your question, 20 mins mark: "...authorized by the same origin policy to be sent cross-site". SOP doesnt allow or prevent from accessing resources cross sites. Again, re-read my first comment. Sites and origins are two different things. We can go on all day like that, bro.
@@cowid Take it easy man,It's not that massive problem if he did a little mistake, As long as the concepts are valid and there is benefit it's totally fine to share we are not perfect .Secondly,There is no need for the agressive attitude brooo, LOL
IT's 3.55 I am on now. Just Awesome and great talk. Keep up the great work, Ben! You are giving gems to the community. Thanks man.
That was super cool. Amazing work, Lupin. And the presentation was awesome. Thank you, Nahamsec!
Amazing presentation, whoever does the marketing/graphic design for Lupin is the 🐐
Thank you so mutch Lupin for this awesome presentation .
Ben thx for sharing , grateful for it my Friend
Thank you Lupin for this great presentation and Ben for sharing these great presantations with us!
Amazing presentation, thank you Lupin ;-)
What was the impact of the last vulnerability? Attacker could bruteforce secrets of users via csrf?
that was a pretty cool Finding!
especially the widespread vuln sounds interesting
11:06 this tool sounds really useful. Is there a link for it?
You can use graphql-path-enum, it's very similar to what he show there
The slides are very fun to watch
How exactly is the SOP bypassed in the last vulnerability?
Nice bro...@Nahamsec keep it up
Hell yeah
Thank you, Ben!
Great talk!
This is a good dude 🥂
#NahamCon2024
SOP doesnt allow you to send requests cross-sites. In SOP there is the letter O, which stands for Origin. An origin is not a site, those are two different concepts. And by definition, SOP does not protect from CSRF. It protects from COW (Cross Origin Writes). I like the energy and the enthusiasm, we need that in the field, but if you want to present something and don't want to sound like you dont know what you're talking about, I would suggest you do your homework before. Thank you for sharing anyway.
Actually he is right , If the content-type was application/json this would be considered as not-simple request for the browser and would require a preflight request which would block the XS-search(Get based CSRF) request because its not a trusted origin
@@baraamansi7637 Re-read my comment, thank you.
@@cowid I'm aware of my comment bro, If there is anything wrong with his concepts then you can mention the timeline and explain your opinion ,otherwise I'm not seeing what are you pointing for
@@baraamansi7637 I'm not your bro son, for one thing. Secondly, it's not a coNcEpT problem. It's a terminology problem. Words and acronyms have meaning. Throwing a bunch of acronyms around without understanding what they entail makes you sound like someone who does't fucking know what you're talking about. For the timeline, you can refer to the entire video that is pretty much glib the entire time. To answer specifically your question, 20 mins mark: "...authorized by the same origin policy to be sent cross-site". SOP doesnt allow or prevent from accessing resources cross sites. Again, re-read my first comment. Sites and origins are two different things. We can go on all day like that, bro.
@@cowid Take it easy man,It's not that massive problem if he did a little mistake, As long as the concepts are valid and there is benefit it's totally fine to share we are not perfect .Secondly,There is no need for the agressive attitude brooo, LOL
Bro stop telling « n’importe quoi »
Graphql is a data structure where php is web programming language 😅
With all the ads around i've vomited... After a few minutes go full screen... I dont even understand why sponsor are needed on a Twitch stream but meh