Cross Site Request Forgery - Computerphile

As someone who is a complete novice, and is trying to learn about how to make websites, Tom Scott has made me terribly afraid of screwing something up and having a massive security hole.

Tom, I'm never going to your blog, that's for sure now.

"But since then, it's got a bit more complicated"
-Tom Scott, 2013, describing the internet and the history of the universe in one sentence.

The funniest thing about your videos is when you talk as if you were the server, interpreter, code or whatever! It would be funny as hell if that was the case, imagine trying to do something malicious, and having the server respond "Well, that's wrong. I'm not having that." in Tom's voice!

"My hand has lower ambitions than my brain does"
Yeaaah I know the feel...

I love how passionate Tom is about this. You can really see it in his face and hear it in his voice.

After just graduating with a Bachelor of Computer Science, I can safely say I would have loved to have this guy as a lecturer; he explains things simply, clearly, interestingly and correctly! I'd like to say a big thanks to the Tom and the Computerphile team for spending their time and effort to make these great videos!

where's the brown paper?

Please, don't ever stop making these.

I remember 6 years ago (I was 12), I'd mess around with chat rooms for fun. Of course, doing so itself was stupid, but it taught me about modifying post-actions and functions, and also about proper security in how users interact with websites.
Basically, I had a plugin that let me edit post data before it was sent to the site. I'd mess around with the chat a few times, see what values changed in the post data, and then figured out what separate parts and values in the data were for. Eventually, I figured out how to modify the sessionID to be the same as other users, so that I didn't have to be in the chat to play around with it. I also learned how to mess with chat servers screen-name authentication, and to modify my screen-name when I was in the chat. Worst-yet, I learned how to modify user-permissions and mess around with the admin-panel login page so that the chat server thought I was an authentic admin that logged in through the admin-panel and let me use admin operations.
Of course, at the time I used it for immature things, but I eventually started thinking of ways for how the website could have avoided those problems. That sort of thinking helped inspire me to think in-depth about security in my programming projects.

Tom Scott is quickly becoming one of my favourite people on the internet. He's the kind of person i'd have wanted to be best friends with if we'd been kids at the same time and place

These Tom Scott videos are so addictive, I can't stop watching! xD

This video inspired me to try to "steal" my CSRF token (as if I was trying to hack my own account). I the process I reinvented cross-origin HTTP requests and clickjacking. Turns out both this attacks are well-known and defended against.

Tom is probably my favorite person on this channel. I just love the way he talks and I love the topics he has.

These are some of my favorite vids on computerphile! Security issues affect everyone and we need more clear explanations. I'd love for Tom to tackle jailbreaking.

Being a web-developer I highly enjoy this series. Tom really knows what he is talking about, and I just love the enthusiasm.

Can't i just load the other form in an invisible Iframe and then parse and search through the html retrieved? Use the token info and create my own form.

It's good having an episode of computerphile, mainly because the intricate and important details in computer are _so complicated_ even though I (thought) that I knew about computers. This kinda gives me a foundation.
Also you should probably talk about logic gates, whether it's minecraft or whatnot, they explain how you could have to light switches for one light

Ironically I saw "nonce" today in a code and I thought someone didn't follow code standard for nOnce or n_once. Now I know what they meant.

Got an exam on this tomorrow, this was so helpful for me, thanks! The way you explain things makes them easily accessible

These are awesome. This guy makes Computerphile the channel I look forward to. More of him.

You'd be surprised how many web devs don't know about this in 2023

Great and informative video as always. Loving the amount of Tom on this channel.

Just wanting to let you guys not know that you are doing a great job I love watching your videos and always get excited when I see that you posted another one.
I'm 16 years old and enjoy programming but thoose videos add another point of view to it and really get you thinking
Greetings from Germany

I always wondered how Wordpress' nonce hash works. Thanks for the enlightenment!

I know little about IT or programming, but your videos are always very informative and easy to understand, so thanks!

This is great! :D I love the way Tom explains advanced terms in really simple ideas

This mini series on security is just wonderfull. Love the content, love the voice, it's just great.

these videos jus seem to come right after i've implemented something for a project in my courses ... Thank you for informing me of these things, heavens knows I'll need them in the field

The tale in the beginning about POST and GET requests is a bit of an ideal case too. Many sites actually work just as well if instead of a GET request you make a POST request with the same content, or vice versa.

This channel is absolutely amazing!

Very informative and explained in a simple and understandable manner. That's why Tom is my favorite, though I enjoy watching the others, too!

Holy crap! While I have enjoyed these videos since the start of computerphile, this is the first time I directly learned, or more rightly, realized something. I do have webpages that are badly coded like this. Time to go off and fix!

Tom, You are the best. Keep making those excellent videos.

Great explanation, I did know this sort of attack existed but had never given much thought about how to mitigate it.

This guy is an excellent presenter. Please, more of him.

Excellent description of XSRF. Thank you. I understand the concept and defenses now.

Very helpful. I liked both the content and the way you described the CSRF. Thanks!!

Another great video guys, looking forward to more cool explanations. Keep up the awesome work!

This was really interesting. I was aware of cross-site-scripting and sql Injection but I had never heard of this. Thanks :)

Best quality of explaining anything ever possible!! Thanks A TONNN!

Love your videos! I will doing web computing in September at uni and these videos are excellent! Thanks

Awesome video,great help.
I'm always waiting for your new videos .

great vid ! So on a website you would store in a database the csrf token everytime a user logs in ?

I know this is not relevant to this video, but can you do a video on elliptic curve RSA cryptography?

I get the concept of the token, but how does the server know if a token is valid once it gets the request? Since the web is stateless, it creates the form with a random token, then sends it on its way. So how does the server know if a token it gets back is valid? Store valid tokens in memory or a database?

Actually learned this now by the video. Quite interesting and will eb sure to include this in serious projects in the future.

This guy is amazing! More videos by him please!

Couldn't you get around the one-time key thing by creating a hidden/tiny/offscreen (i)frame for the ‘transfer money’ form on the bank website, and then use JavaScript to automatically submit the form?

Is this something I can see in context, like in the html of this web page? Where would it be in the code? I don't quite understand it yet.

What im wondering is, how would that work? I tried to make myself a custom start page for my browser that would pull the most recent football league tables amd game results for PL, LaLiga and Bundesliga and display it. It wouldnt let me do that, even though i didnt even send anything, i just requested some table in an html.

I've just watched the video, it was really helpful on my course! Thanks! 🙂

Would it be possible for a virus to monitor the network-traffic for specific One-time numbers, say your banks number, and then when it finds one quickly send a premade form, transfering money from your account to the creators as soon as you visit your banks site?

I love this guy please keep making more videos with him

but what if I first send the request for the original page, let say the route /send-money is the route with that form. so, I send the request to that form and scrape the csrf token from it and now send it with my malicious form.
Would that work?

you request the token with your script
and later in the script you use that token
easy if the form is standardized-like deleting enemy facebook pages

It's also a good idea to add the action to the seed which generates the nonce, so the nonce to post a comment is different from the one which allows you to delete your account. If you combine that with the username and set a short timeout the users needs to have been on the form which does the action, somehow you need to be able to steal that nonce and get them to go to your infected page. It's basically no longer a security issue in that case. When someone loads a form they usually intend to fill it out and you could even track when they leave the form to immediately invalidate the nonce.

So...what the hell does nonce mean in Britain?

Why does the camera randomly zoom in some times? it's really distracting.

Here's one consideration on how important it is to validate user input on the server side. Take any disabled html element. Open up firebug console and run some javascript, eg. using jQuery syntax: $('input').removeAttr('disabled'); $('input').removeAttr('readonly');. Then happily make any changes to the input elements and submit the changes.

Nice video ! I already heard about it but I didn't understood everything, so you've made the web a safer place !

Well, I use SESSION vars to valdidate, is that fine or should I do this aswell?

Will Tom be a regular? His bits are great.

Great, now i've got to rewrite the project i'm working on. I didn't know about this and it's so obvious. Good video!

This is indeed a big security hole. I did not know what CSRF did before so I couldn't apply a patch to my site. I can now though. Thanks Tom/Numberphile. Nicely explained :)

Excellent explanation in simplest terms!

Being able to create your own version of a form a send that is a problem in general, as you could also strip out any checks in the original form you don't like.

could clickjacking be the 4th in this series? at least that one is easily blocked by X-Frame-Options and some other stuff

Thanks for the video. This is really useful.

would modern browsers' tab sandboxing prevent that sort of thing?

Brilliant Video!
Awesome and clear explanation!

I love these videos, thank you.

I simply love all the Tom's videos, very well explained.
Keep going with the good content, Mr. Red T-shirt haha - I don't know if it is intentional or not, so I don't want to be a jerk. :p.

Awesome Video, Systems security is to my mind the best subject to do videos on, keep doing that, this is very interesting, very useful ! Keep UP that good work

Oh wow. It's funny seeing people writing about how they implemented a 'nonse'. If only they they knew. This was a great video! Tom is always so enthusiastic, it's great! One request would be making the felt tipped pen sound quieter/non existent. It makes my toes curl!

Thank you.
Is there a way to know if a site is using tokens?

Ya know, if accepting request from other website would work, then the form would likely be accessible by javascript running from the other website as well.
Which means, my javascript could request the form, look for that random string of characters (fairly easily too) and add it to its spoofed request, meaning we would be back to square one.

Thanks for helping me learn the valuable lesson of what a 'nonce' is in UK.

Great Video. As a novice web developer these videos help immensely. Keep them coming. A video on how to design a site which can be logged into securely would be very helpful.

Can't you just load the bank page in the backround of your site with JS and get the token from there and then run a post request from your site?
Also, how does one store this token?

I've been looking for a video that I can send to my non-techie friends to give them slight idea about XSRF. This video is what I've seen so far that's lay-man friendly.

what if you loaded an invisible in the users browser when they loaded "myAwesomeBlog", extracted the token and used it in a csrf attack?

still relevant even nowadays how beautiful

thanks for this magnificent explanation!

been waiting for this video

Thank you Dawson from Dawson's Creek!

What happens if we make a call to the page that generates the form and take the token from there?

I have heard about this before, but there's a simple way around it. The problem with it is that the same malicious form on the unrelated blog can still submit a page request on the target site and grab the token before submitting to the page that actually does the damage. All it takes is a little bit of PHP knowledge, some knowledge of HTTP request headers, and a little ingenuity. Still, it's good to know how and why to do this.

The easiest way to get around most of these: Use a solid framework which helps prevent all these attack types. Take Ruby on Rails for example. While not perfect, the latest version is pretty good at avoiding SQL injection, XSS, and CSRF, along with other built in things, like secure cookies, and proper storage of passwords... with a framework doing most of the basic stuff, it's up to the developer not to do anything stupid.

It just gets better!

Love this guy! Great video(s)!

Ty for those lessons, they are so cool!!!

Awesome...never even thought of such security issue...I think chrome's sandboxing of the tabs won't help here coz I have seen the sessions and cookies are shared across tabs....Keep it coming - love the videos

This guy is so good. More of him! :D

Really interesting! But how do you know if your bank, etc. is using the token system? Also, can we get a computerphile video explaining bitcoin?

Wonder if the games I play use it in their deletion form?
_goes off to make a post in the staff forum to bring it to their attention just in case_

I don't understand this and must be missing something. What's to stop the malicious site from sending a GET request for the form and then (via javascript) sending the POST request with the token afterwards? If the answer is that the GET request is secured by the encrypted session ID for the user, then why does that encrypted session ID not secure the POST request also?

but what if the malicious webpage itself loads the bank site in the background, it can get the token that way.

So even if the malicious site knows how to generate the token (e.g. if it is from wordpress, etc.) , because it doesn't know the username (assuming the token is generated using that), then the the attack won't work, right?

This guy's videos are brilliant! Web security and hacking is so interesting. :)