π Add to Chrome β Itβs Free - YouTube Summarizer
Category: N/A
No summary available.
00:00
in this video we'll focus on csrf which stands for cross-site request forgery but why exactly we have to talk about this and we'll do that with the help of an example okay so two things one we'll talk about the theory we'll also see that how it works in the example which
00:17
we are doing so let's get started so let's say uh till this point what we are doing is we got a client right from where you are sending a request and of course this client can be a postman this client can be a browser or any other application and then we got a server
00:32
here right and then uh this is a server which we are building in Spring boot so this is your spring boot uh server and now when a client sends a request of course we are implementing security that means whenever you send a request from client to server you have to also send
00:48
your loging details for the first time if it is not there then of course it will say hey who are you you will not get the access and we were getting the errors right so that's why we have to first enter the username password um you have to login now when you log in what happens is when you pass the
01:04
username and password by doing login what you receive from a server is success of course also you receive a session ID so if I want to show you the running project so this project is not running now let's run this and let's hit the URL so this is a login form you are
01:20
getting right and when you say username password so let say naen and Tesco enter you got this message which is welcome with Risco but also you received a session ID so if you ref this multiple times every time you will get the same session ID and that's how the server knows hey this person is logged in so
01:36
let's not ask for login again right so doesn't matter which URL you hit you will use this session ID so that means what you have on your client is the session ID so every time you send a request let's say if you want to get details about a particular resource in that case also you have to send the
01:53
session ID so till you have the session ID whatever the ID is let's say 1 2 5 6 that's your ID now if you have this ID Ser will verify and server says okay you are already authenticated user I will give you the access so this is good right you don't have to log in multiple
02:08
times and I don't remember last time when I used Gmail when I logged in so basically every time you use this famous applications you normally prefer them to have stay signed in which means you every time you go there on your browser you don't have to log in again is it good of course it will save your time is
02:25
it bad sometime let me tell you why so let's say I'm using a third party resource here any website which is not good u i mean most of the applications are secure but let's say if you go for downloading a PIR movie and when you
02:40
visit a particular website which is not of course you get things for free there but what you don't understand is most of these websites are malicious they run some script and they will steal from you then you will say how so let's say I visit to a particular website which I should not let's say I'm downloading a
02:55
particular crack version of a software and I'm going to this website and it says hey get this software for free I'm so happy and then when I'm downloading it while in that downloading it will give me some popup allow download uh allow this file access and you say Okay allow everything allow because I want
03:11
this software and now this particular script which is there in the malicious I will name this as a malicious software I know my handwriting is bad but you got the point right so if I'm going to this m software this will what this will do is this will run some script and it will
03:27
get this session ID because I'm signed in from this particular uh machine and then it will send the request to the server now server thought hey you know uh this I got the request using this session ID and this it's valid so it will give the access and then this particular malicious software or the
03:44
website is stealing my information that's wrong but it happens and that's why you should not go to some weird websites now if you talk about this thing how do we stop this and this problem is called csrf which is cross-site because it is from other website request forgery because they
04:00
have they are doing the request on your behalf and we need to stop it and by default your Spring Security will take care of it I will show you how but then when you talk about the protocol called sttp it got multiple methods right it's not just one so csrf works with uh I
04:15
mean when you talk about csrf sttp by default gives you different methods right so you work with get for fetching data you work with post uh you work with put you work with Delete now when you talk about these methods like put post delete they actually change something on
04:31
the server and by default it will take care of the csrf so Spring Security will not allow you to do this operations if you're not handling the csrf but get is bit normal right so get will by it will allow get now question arise how will
04:46
you make it work how how will you secure it now if you go back here don't you think this session ID is wrong uh which should be created every time so what I feel is you should get a new session ID every time so it's something like see HTTP by default stateless right so it
05:03
will not remember who you are and that's why we have this session ID which will remind the server hey I'm that person but what if you generate a new session ID every time so of course even if someone is hacking your session ID they can't get access to it they can't
05:18
actually actually access the server that's one the next way you can do is every time you send a request to the server server should generate a token a unique token and you can send that token every time you want to send the request I mean that will be solved right and that is called the csrf token okay let
05:35
me show you where we can see that so if I go to the browser and if I say log out because we are changing some data from the server now so if I say log out of course we got this page but if you see the view source of this page okay this is the thing I want to do that on my Chrome browser so
05:53
login no thanks okay so if I if I do a log out from here and we got this page let's go to the view source and this is a source now if You observe there a lot of content actually not but yeah we have some content on top here but if you see
06:10
there's a special input tag which is by Default hidden it's not there on the page uh but then it has a value so we got the name asore csrf and then this is a value so if you can use this token to send your job is done but how will you
06:25
do that and how will I know this token first of all so to understand this let's create an example okay so let's go back to the project and let's understand that this step by step what I will do is I will create one more controller here I will say Java class and I name this as
06:41
student controller okay and in this I will have some operations so first of all I will just make this as a list controller and here I will have some methods for getting all the students but I want to represent student as well right I should do that in separate package but since we are into learning phase I will put that in everything in
06:56
one package so that is student and in this student I will create some variables so private int ID and private string name and let's say Mark so private int marks okay so we got these three fields and for these three Fields
07:11
I need G sets of course I could have used lombok but let's say generate G sets for all the variables and also I need a Constructor parameterized Constructor here for all three variables and next I
07:27
need a two string to print it okay so we got this uh things here in the student and now in the controller basically I will create some objects I'm not making it as a component is because normally for uh normal poos you don't
07:42
make them component standard practice okay so I will create a method here which will return me the list of students so I will say uh so let's say from the browser if I want to access let's say if I go back here and refresh it is still working so let's say if I request for students of course you will
07:59
not get anything because we don't have a mapping for it so when I call for student should print the list of students so here I can return a list of students import the package and here I will say get students so I should do the mapping as well so this will be for get mapping and I'll be doing for slash
08:17
students so whenever someone request for this I will execute this method and this should return a list of students I don't have it so ideally if you think about the application it should be the data should be there in the database there should be some more layers repository layer service layer but let's say I'm skipping those things now I will just
08:33
have that here again not a good idea but it works for this scenario so I mean for the example so I will say list of students and let me have some hardcoded values so list do off okay so I want to have the first
08:51
object new student it should have some values let's say one noven and let's say some marks 60 and let's let's add only two objects so two Ken and let's say 65 okay so we got two
09:08
students and now here I want to basically return those two two students so I will say return students our job is done right so this will return the data and now if I refresh let's see if this works so restart done let me go back to my browser and refresh and you can see we got data so this is working right and
09:25
this is awesome so we got this data here I just want to check if the security is still enable yeah it's enabled so you can see we got the data but what if you want to create a student so let's say I go to my Postman now this time we'll do it with Postman and I want to get the students and if I say send so
09:44
you can see we got data and we are passing the username password as well but now this time I want to create a new student so let's say we got these two students and now I want to create new one I will just use this data and let's create a new student so I will go to post request I want the same URL but this time post request and and in the
10:00
body I want to have this data so this should be three let's say hush and hush got let's say 70 so we got this data there and now ideally what should happen is it should give you an error that the method is not there if I click on send
10:16
it is saying unauthorized this is weird what I will do is I will go back to my code and I will disable this Spring Security just to see what happens what type of Errors you get so M reload done now we are not implementing Spring Security and I don't
10:32
even want to pass the authorization data I will keep it no o because we don't have Spring Security now and in the body I want this data first of all I will try to do send okay so you can see this is that I was expecting it says 405 method not allowed but what you go got is
10:48
unauthorized now that is weird uh but first of all let's create this method so that you will not get this error so go back here to the code and let's create a method which will accept the post mapping so I will say post mapping and here I will say stash students the URL
11:04
is same but the mapping is different and this will return a student whatever student you're adding it will return the same student and I will say add student and here basically I want to accept that student so I will say request body and student let's say student I'm accepting
11:19
a student and this student I want to add in the list how will you add it's very simple you say students do add and you will pass a new student it's is that simple again of course it should be in the database but since we are doing hardcoding here this works and we have
11:35
to also return the student so return the student whatever you're receiving let's let's send that so we have implemented the method I will just restart the application and let's see will it work let's go back and click on send so you can see it says okay that's good and if
11:52
you try to fetch all the students now so you can see we got three students so this is working right we are happy but as soon as you enable this Spring Security let's see what happens I'm enabling the Spring Security Now restart
12:08
okay so let's try to do the GU students first I will click on send and of course we are passing authorization so it should work but if you go back to post and now if you try to add the same data and uh in the authorization we have to go for basic Au with the same values
12:23
click on send it should work right it's not it's because csrf token is not there so whenever you do any update request like put put put post and delete where changing something csrf token you have to send otherwise it will not work okay how will you make it work then so one
12:40
thing I want to try is how do you send CSF token you can just go back to the headers and here you have to pass one of the one of the key pair value or key value pair which is X csrf and hyphen token this is what toen
12:57
token this is what you have to send now I know the key I don't know the value uh maybe I can get the value from the browser not a good idea but let's try so I will just go back here and I want to get the token so I will say Local Host col 880 how will I get the token you get
13:13
the token from SL log out don't do the log out just go on this page right click view page source and just copy this this is your token I will just reduce the size of it so that I can copy in one go
13:29
okay copy I'm not sure if this works let's try paste send it's not working so maybe I have to generate the token and get it I thought it would work okay no problem let's generate the token from the from the code and it might work you try it out you try it out and let me
13:45
know if it is working for you so I don't want to get that from the browser again it's not a good idea to get this from the browser can you return the token from here so from this particular uh code so what you can do is you can request for the token and you can send it so I will say public
14:03
and it should return a CSI token so I will say csrf token and this is coming from Spring security. security.
web. csrf and say maybe I will say get csrf token and this should return a
14:20
token right now what should be the mapping maybe I will say get mapping and the URL I want here is csrf token so when I request for this it will generate a token for you okay and then you should return a token now how will you do that that's tricky see uh when
14:37
you talk about a method like HTTP okay so when you talk about a protocol like HTTP and when you're working with svets because behind the scen spring is salvet right or spring MVC savet and if you go back to hello we have used one of the
14:52
object type which is the HTTP serate request right now if you get the object of request you can get lot of data including the session ID and also the token so I can just go back here and say HTTP seret request request and with this
15:08
request okay where I'm doing that wrong place wrong place it should be here and request okay and here with the help of that object so will return so from the request dot request has a lot of methods one of them is get attribute now what is attribute name remember when we were
15:24
trying to see the browser not this one yeah this one this is a name which is underscore csrf so I will simply use it here in double quotes underscore csrf and you will get the token right but then get attribute gives you a type
15:41
of object you want a type of csif token so you know it's very simple you have to just do type casting so cast it with this your job is done so what this will do is this will give you a CSF token which you can use to send the request let's try or maybe the token was not
15:57
working when we tried with browser I don't know how I forgot that we are using two different users right the browser is a different user the post is a different user okay so here I will go back to my Postman not the browser where is my Postman it's here okay so now I will
16:14
first of all let's check if the students are working this is working but I don't want to request for students I want to work for I want to fetch csrf token and click on the request and this is token you got you can see this is a parameter CSI I have token and this is a value so
16:30
when you copy you have to make sure that you copy from double codes to double codes and copy so you can see the header name should be this x hyphen csrf hyphen token and now with when you get this token you can just go to your post request and in the headers we got the
16:46
key replace the value this is a value new value and I hope this will work the body is same headers we have changed send it worked okay so this is good right so this is how basically you generate a token and send it uh there
17:04
are two more ways to handle this one in fact we have talked about one before what if you simply generate a new session every time then you don't have to worry about the csrf you can disable it you can disable the check of it on the server side and we'll see that how
17:19
do we do that in upcoming sessions but uh you can disable that next you can work with the uh same site strict so you can make sure that no other s can access it so that's one of the way you can do that so yeah that's it from this video where we talked about csrf token but
17:35
again as I mentioned you can also disable it and make sure that you generate a new session or basically you make your HTTP stateless or your session stateless how do we do that let's see in the upcoming video so in this video we focused on CSF token how do we generate it what problems it creates how do we
17:51
handle it I hope you enjoyed so let's see in the next video bye-bye