SecAppDev 2024 lecture details
The Past, Present, and Future of CSRF/CORF
Explore the evolution of CSRF and Cross-Origin Request Forgery, their impact on modern API-based applications, and how to effectively use defenses like SameSite cookies and Cross-Origin Resource Sharing.
Tuesday June 4th, 11:00 - 12:30
Room West Wing
Add to calendar (ICS) Add to Google calendarAbstract
Cross-Site Request Forgery (CSRF) attacks have plagued developers for over a decade, evolving with the web's progression. This session dives into CSRF's evolution, its recent variant, Cross-Origin Request Forgery (CORF), and the effectiveness of modern defenses like SameSite cookies. We also explore the reincarnation of CSRF in APIs and how you can properly defend against these attacks. You'll gain insights into the anatomy of these attacks, prerequisites for vulnerability, and best practice defenses, ensuring a comprehensive understanding of CSRF and how to effectively mitigate it.
Key takeaway
Gain a deep understanding of CSRF attacks, the conditions that lead to vulnerability, and how to implement best practice defenses to safeguard your applications.
Content level
Deep-dive
Target audience
Web application developers and architects, security professionals
Prerequisites
A basic understanding of web applications and cookies
Join us for SecAppDev. You will not regret it!
Grab your seat now
Philippe De Ryck
Security Expert, Pragmatic Web Security
Expertise: Web security, API security, OAuth 2.0, OpenID Connect
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
Supercharging OAuth 2.0 security
Advanced lecture by Philippe De Ryck in room Lemaire
Tuesday June 4th, 16:00 - 17:30
Discover how to apply OAuth 2.0 in high-security scenarios, exploring its latest security enhancements. Learn about advanced features like Resource Indicators, JAR, PAR, and DPoP, gaining the knowledge to implement OAuth 2.0 securely.
Key takeaway: OAuth 2.0 offers various new security enhancements, including Resource Indicators, JAR, PAR, DPoP, designed for high-security environments
An open source WAF in a high security setting
Introductory lecture by Christian Folini in room West Wing
Wednesday June 5th, 09:00 - 10:30
Introduction to WAFs, a highly commercial market with a dominant open source offering, crazy incentives of WAF vendors, the history of online voting in Switzerland, the 2019 disaster and ray of hope cast by the WAF.
Key takeaway: Basic understanding of web application firewalls, their use cases and their limits.
Security foundations for modern web applications
Introductory lecture by Philippe De Ryck in room West Wing
Monday June 3rd, 11:00 - 12:30
In this session, we explore how to leverage the fundamental security model of the web for security. We also explore how to build a secure foundation for your web and API-based applications.
Key takeaway: Understand how the browser reasons about web security, and how you can leverage browser security mechanisms to secure your applications