[Info-vax] OS implementation languages

[Arne Vajhøj]

On 9/9/2023 7:22 PM, Chris Townley wrote:
> On 09/09/2023 22:35, Arne Vajhøj wrote:
>> On 9/9/2023 11:16 AM, Arne Vajhøj wrote:
>>> PHP does not have many of the common general flaws like
>>> buffer overflow and memory leak.
>>>
>>> PHP got all the features needing for secure web applications.
>>>
>>> Some old features that were questionable from a security
>>> perspective has been removed. Classic example is register_globals
>>> that been off by default since version 4.2 (21 years ago) and
>>> was finally removed in version 5.4 (8 years ago).
>>>
>>> The most widely used frameworks has added features to make it
>>> easy to avoid common web security problems. Example: Laravel
>>> always check for token to prevent CSRF.
>>
>> And CSRF is a real problem.
>>
>> On OWASP top ten it made:
>>
>> 2007 - 5th
>> 2010 - 5th
>> 2013 - 8th
>> 2017 - missing
>> 2021 - 10th
>> 2023 API - 7th
>>
>> Modern web frameworks like PHP Laravel, ASP.NET MVC, RoR,
>> JSF etc. has builtin anti forgery token support to prevent
>> CSRF.
> 
> CSRF - what is it?

Cross Site Request Forgery

Simple (slightly oversimplified) example:

* you login to your bank and the bank web server provide
   you with a session cookie that your browser use for
   all requests in that session
* you need to do a money transfer so you fill out a
   form with amount + from account + to account
* that form get submitted to the bank as a POST request
* without closing the browser you go to www.verybadsite.com
* they show you a form with USD amount and expecting them
   to show equivalent GBP amount
* but the form has 3 invisible fields: amount +
   from account + to account filled out with an amount +
   your account + their account and the POST URL is the banks
* when you hit submit the transfer goes to the bank
   and your super friendly browser send the cookie
   with the request and the super friendly bank web server
   has kept the session valid

https://en.wikipedia.org/wiki/Cross-site_request_forgery

Arne