-
Notifications
You must be signed in to change notification settings - Fork 0
[Feat] create security csrf doc, init click hijacking #8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
toanngocdev
wants to merge
51
commits into
main
Choose a base branch
from
feat/security/csrf
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 2 commits
Commits
Show all changes
51 commits
Select commit
Hold shift + click to select a range
13c9ac8
feat: create security csrf doc, init click hijacking
toanngocdev ba6fa26
feat: create security csrf doc, init dos/ddos
toanngocdev 6d1b5d6
chore: add missing dependencies for fumadocs, zod and lucide-react (#7)
Yarnnguyen 3c7d570
feat: Create Bun docs
teddynguyennn aebfa3c
feat: Create table component, write document for Bun in Package manager
teddynguyennn c70cde1
feat: update bun bundle and run time more detail
teddynguyennn f119f42
feat: add bun install step before lint
teddynguyennn 9963f69
Add npm documentation
Simon-Vu-sudo fa7b83f
feat: Create document for Pnpm package manager
teddynguyennn a7e855f
feat: update outline for server state management doc
tienanh0026 931cbba
feat: add server state management doc content
tienanh0026 d101f55
feat: update outline for hybrid state management docs
tienanh0026 290b99a
feat: add design patterns documentation and update meta information
namf2001 eb48318
feat: add design patterns documentation and update meta information
namf2001 6302776
feat: create JWT docs
teddynguyennn 879ca0c
fix_v2:update docs jwt
teddynguyennn 6a2ea31
chore: upgrade depedencies
nhattran998 597c76b
fix(docs): update npm package manager content
nhattran998 10166ab
fix_v3:update docs jwt
teddynguyennn e7a14d3
fix(docs): update index key in index pages
nhattran998 e41bc59
fix: next app cannot build
nhattran998 40dffb5
cd: update deployment config
nhattran998 898b6ab
workflow: update github config
nhattran998 2461f3a
chore: upadte config
nhattran998 16f6de4
Release 0.0.1
nhattran998 98adc22
workflow: fix bun install
nhattran998 1adadff
workflow: fix bun install
nhattran998 a976ca7
workflow: fix bun install
nhattran998 4a30172
workflow: fix bun build
nhattran998 caae8fe
fix: update deployment scripts
nhattran998 e2c802f
fix: update scripts build docker
nhattran998 7e6dda0
release 0.0.5
nhattran998 8d0c7c2
release 0.0.6
nhattran998 46c85bc
fix: add missing base config in creating PR action
nhattran998 6fe7a16
Release 0.0.7
nhattran998 7bfc559
chore: revert the old auto commit bot
nhattran998 db9afda
Release 0.0.8
nhattran998 88defdc
Release 0.0.8 + update docker-compose.yml files
56f24f2
fix(docs): enhance Command Pattern documentation with detailed exampl…
namf2001 0717527
init structure document
4232aa5
Init structure V2
peter-nguyennn 58c4ead
feat: Improvement Pnpm and Bun docs
teddynguyennn 61daf2e
Update image name, fix format comment
teddynguyennn d7e8f51
update: bloom filter document
76ac22d
add: reference
57491cc
add: introduce problem and some solutions for common quick lookup pro…
28e550b
update: algorithm description
04a1077
add: author name
812045a
update: code to typescript
64b3eea
feat: create bundler tool items, vite doc structure
teddynguyennn ccc4f9b
fix: crsf comments
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| --- | ||
| title: Click Hijacking | ||
| description: Display file structure in your documentation | ||
| preview: "Click Hijacking" | ||
| --- | ||
|
|
||
| ## Usage | ||
|
|
||
| Wrap file components in `Click Hijacking`. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| --- | ||
| title: Cross-site Request Forgery (CSRF) | ||
| description: Understand CSRF attack and how to prevent it. | ||
| preview: "CSRF" | ||
| --- | ||
|
|
||
| ## What is CSRF ? | ||
|
|
||
| <b>CSRF</b> is a type of web vulnerability that allows the attackers to trick user into performing | ||
| unwanted actions on a web application where they are authenticated. | ||
|
|
||
| The attackers can create links that resemble familiar applications, such as "faceebook.com" which kinda famillar to "facebook.com". | ||
| Clicking on these links can unknowingly send requests to the Facebook server, potentially leading to unwanted consequences for your account. | ||
|
|
||
| ## How does CSRF work ? | ||
|
|
||
| For example, you have an API that lets the user change password on their account. When a user performs this action, they will make an HTTP request as shown: | ||
|
|
||
| ``` | ||
| POST /update-password HTTP/1.1 | ||
| Host: facebook.com | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Content-Length: 30 | ||
| Cookie: session=someRandomSessionToken | ||
| password=istoleyourpassword | ||
| ``` | ||
|
|
||
| With the information shown, the attacker can create a web page for example "faceebook.com" containing the following HTML: | ||
|
|
||
| ``` | ||
| <html> | ||
| <body> | ||
| <form action="https://facebook.com/update-password" method="POST"> | ||
| <input type="hidden" name="email" value="istoleyourpassword" /> | ||
| </form> | ||
| <script> | ||
| document.forms[0].submit(); | ||
| </script> | ||
| </body> | ||
| </html> | ||
| ``` | ||
|
|
||
| If the user visits the above web page, the action will automatically be trigger and if the user is logged in to the website, in the example is "facebook.com", | ||
| their browser will include their session cookie in the request. And the target website, which is "facebook.com" will treat the request as having been made by the victim user | ||
| and change their password | ||
|
|
||
| ## How dangerous are CSRF attacks ? | ||
|
|
||
| <b>Transferring funds or Making purchases:</b> | ||
| Attackers could initiate unauthorized money transfers from your bank account or make purchases on. | ||
| your behalf from online stores. | ||
|
|
||
| <b>Posting unwanted content:</b> | ||
| Attackers could post messages or content on your social media accounts or other online platforms. | ||
|
|
||
| <b>Modifying sensitive data:</b> | ||
| Attackers could change your account settings, passwords or other personal information. | ||
|
toanngocdev marked this conversation as resolved.
|
||
|
|
||
| The cost can be significant depends on the attackers skills. | ||
|
|
||
| ## How to property prevent CSRF attacks ? | ||
|
|
||
| There are severals methods to prevent <b>CSRF</b> attacks: | ||
|
|
||
| <b>Use Anti-CSRF Tokens:</b> | ||
| This is the most common and effective method to prevent a <b>CSRF</b> attack. Each form submission | ||
| includes a unique, unpredictable token that the server verifies. When a CSRF token is generated it | ||
| should be stored server-side within the user's session data. When a subsequent request is received | ||
| that requires validation, the server-side application should verify that the request includes a | ||
| token which matches the value that was stored in the user's session. | ||
|
|
||
| In the form on client-side should have a hidden field that holds the value of the token that generated on server-side: | ||
|
|
||
| ``` | ||
| <input type="hidden" name="csrf-token" value="aTokenThatGeneratedOnServer" /> | ||
| ``` | ||
|
toanngocdev marked this conversation as resolved.
|
||
|
|
||
| <b>SameSite Cookie Attribute:</b> | ||
| This attribute helps the browser decide whether to send cookies along with cross-site requests. The | ||
| values of this attribute are `Lax`, `Strict` or `None`. The `Strict` value will prevent the cookie | ||
| from being sent by the browser to the target site in all cross-site browsing context, even when | ||
| following a regular link. This attribute should not replace a CSRF Token. It should co-exist with | ||
| the token to protect the user like a second layer of defense. | ||
|
toanngocdev marked this conversation as resolved.
|
||
|
|
||
| <b>Check the Origin and Referrer Headers:</b> | ||
| You need to determine the origin that request is going to/coming from. On server, you need to verify | ||
| if both of them match. If they do, so you can accept the request as ligitimate and if they don't, | ||
| you can discard the request | ||
|
toanngocdev marked this conversation as resolved.
|
||
|
|
||
| ## If you want to dive deeper on CSRF | ||
|
|
||
| <b>References:</b> I gathered information for this document about CSRF on these awesome websites | ||
|
|
||
| [OWASP](https://owasp.org/www-community/attacks/csrf) - OWASP offical site is a really reliable | ||
| source about security. They have documents about not only <b>CSRF</b>, there have also alot of | ||
| documents related to web security in general. | ||
|
|
||
| [Cloudflare](https://developers.cloudflare.com/waf/troubleshooting/samesite-cookie-interaction/) - | ||
| Another reliable source about security. | ||
|
toanngocdev marked this conversation as resolved.
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| --- | ||
| title: Denial-of-service & Distributed Denial-of-service (DOS & DDOS) | ||
| description: Understand DOS/DDOS and how to prevent it. | ||
| preview: "DOS & DDOS" | ||
| --- | ||
|
|
||
| ## Usage | ||
|
|
||
| Wrap file components in `DOS & DDOS`. |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.