dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix 404 links

Browse Source
This commit is contained in:
Satoshi SAKAO
2020-04-14 18:50:37 +09:00
committed by Nanne Baars
parent d7ae3a4391
commit 9063b4137f
5 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Frameworks.adoc
View File

@ -19,7 +19,7 @@ Another defense can be to add a custom request header to each call. This will wo
with the server are performed with JavaScript. On the server side you only need to check the presence of this header
if this header is not present deny the request.
Some frameworks offer this implementation by default however researcer Alex Infuhr found out that this can be bypassed
as well. You can read about: http://insert-blogspot.nl/2018/05/adobe-reader-pdf-client-side-request.html?m=1[Adobe Reader PDF - Client Side Request Injection]
as well. You can read about: https://insert-script.blogspot.com/2018/05/adobe-reader-pdf-client-side-request.html[Adobe Reader PDF - Client Side Request Injection]

6
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Impact_Defense.adoc
View File

@ -15,7 +15,7 @@ For example requests for `http://webgoat.org/something` will attach same-site co
There are two modes, strict and lax. The first one does not allow cross site request, this means when you are on
github.com and you want to like it through Facebook (and Facebook specifies same-site as strict) you will be
redirected to the login page, because the browser does not attach the cookie for Facebook.
More information can be found here: www.sjoerdlangkemper.nl/2016/04/14/preventin-csrf-with-samesite-cookie-attribute/
More information can be found here: https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
=== Other protections
@ -24,10 +24,10 @@ Tomcat have this on by default. As long as you don't turn it off (like it is in
See the following for more information on CSRF protections:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet (Prevention/Defense)
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html (Prevention/Defense)
https://owasp.org/www-community/attacks/csrf (Attack)
https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CSRF_Prevention_Filter / https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CSRF_Prevention_Filter (Tomcat)
https://docs.spring.io/spring-security/site/docs/current/reference/html5/#csrf
https://docs.spring.io/spring-security/site/docs/current/reference/html5/#csrf