CSRF - how to find it in 2024? CSRF bug bounty case study

📕 Full case study:
📧 Subscribe to BBRE Premium: https://bbre.dev/premium
✉️ Sign up for the mailing list: https://bbre.dev/nl
📣 Follow me on Twitter: https://bbre.dev/tw

This video is a part of the CSRF case study where I extracted all the disclosed CSRF reports from the Internet and I studied them to adjust my CSRF bug hunting methodology. This free part of the case study covers the SameSite attribute and its impact on reports.

🖥 Get $100 in credits for Digital Ocean: https://bbre.dev/do

Reports mentioned in the video:
Medium: facebook-sms-captcha-was-vulnerable-to-csrf-attack
https://github.com/cymtrick/lol/blob/...
https://yeuchimse.com/csrf-protection...
https://bugs.xdavidhu.me/google/2021/...
Creating a YouTube TV that could stea...
https://ermetic.com/blog/azure/emojid...
https://gitlab.com/gitlab-org/gitlab/...
Client-side path traversal vulnerabil...
https://webs3c.com/t/csrf-leads-to-ac...


Timestamps:

00:00 Intro
00:40 GET-based CSRF
2:43 CSRF reports by year
4:40 Reports that don't mention SameSite
7:39 SameSite=None
9:08 Client-side path traversal
11:41 Exploiting Chrome's 2-minute attack window