SecAppDev 2024 lecture details
The Past, Present, and Future of CSRF/CORF
Explore the evolution of CSRF and Cross-Origin Request Forgery, their impact on modern API-based applications, and how to effectively use defenses like SameSite cookies and Cross-Origin Resource Sharing.
Tuesday June 4th, 11:00 - 12:30
Room West Wing
Download handoutsAbstract
Cross-Site Request Forgery (CSRF) attacks have plagued developers for over a decade, evolving with the web's progression. This session dives into CSRF's evolution, its recent variant, Cross-Origin Request Forgery (CORF), and the effectiveness of modern defenses like SameSite cookies. We also explore the reincarnation of CSRF in APIs and how you can properly defend against these attacks. You'll gain insights into the anatomy of these attacks, prerequisites for vulnerability, and best practice defenses, ensuring a comprehensive understanding of CSRF and how to effectively mitigate it.
Key takeaway
Gain a deep understanding of CSRF attacks, the conditions that lead to vulnerability, and how to implement best practice defenses to safeguard your applications.
Content level
Deep-dive
Target audience
Web application developers and architects, security professionals
Prerequisites
A basic understanding of web applications and cookies
Philippe De Ryck
Security Expert, Pragmatic Web Security
Expertise: Web security, API security, OAuth 2.0, OpenID Connect
Related lectures
Supercharging OAuth 2.0 security
Advanced lecture by Philippe De Ryck in room Lemaire
Tuesday June 4th, 16:00 - 17:30
Discover how to apply OAuth 2.0 in high-security scenarios, exploring its latest security enhancements. Learn about advanced features like Resource Indicators, JAR, PAR, and DPoP, gaining the knowledge to implement OAuth 2.0 securely.
Key takeaway: OAuth 2.0 offers various new security enhancements, including Resource Indicators, JAR, PAR, DPoP, designed for high-security environments
Security foundations for modern web applications
Introductory lecture by Philippe De Ryck in room West Wing
Monday June 3rd, 11:00 - 12:30
In this session, we explore how to leverage the fundamental security model of the web for security. We also explore how to build a secure foundation for your web and API-based applications.
Key takeaway: Understand how the browser reasons about web security, and how you can leverage browser security mechanisms to secure your applications
Introduction to Macaroons
Introductory lecture by Neil Madden in room Lemaire
Wednesday June 5th, 14:00 - 15:30
A deep dive into the workings of Macaroons, a novel authorization technique developed by Google. Learn the unique capabilities of this exciting new technology and how it is being deployed by multiple companies to secure the cloud.
Key takeaway: Learn when to use Macaroons vs other technologies for authentication tokens.