Ziyahan Albeniz

Ziyahan Albeniz

Ziyahan Albeniz

Security Researcher


1986 Istanbul. He graduated Computer Programming at Sakarya University. Works in Netsparker as a security researcher. He continues his work with mentorship of Ferruh Mavituna. He reported issues to alot of big company and he has been located these companies` hall of fame. His articles and researches is published on Netsparker Turkey Security Blog and he prepares and presents to his security podcast called Klavye Delikanlıları with Mustafa Yalcin

Make CSRF Great Again

In today’s world, nested services apparently make our life easier. You can easily log in a service by using an account you already have; you can synchronize your devices with easily with one shared account. However, the attack surface gets bigger and bigger. Many companies’ bounty programs exclude CSRF and especially don’t accept Login/Logout CSRF. In recent years, its importance and order have been decreased. In this talk, we’re going to demonstrate why CSRF is still a giant and how the giant is starting to wake again. How dangerous it can be when it is combined with Login/Logout CSRF in applications with Single Sign-on, browser behaviors, history pollution etc.

Real World Stories
Login/Logout CSRF (Login Once, Get Hacked Everywhere)
History Pollution (SWAT Team Raid Your Home Suddenly)
What You See is Actually I Want you to see (Polluting your Amazon browsing)
As a part of combined attack CSRF (Login XSS, Self XSS)
Speaker will explain some vulnerabilities he identified in popular applications;
Grammarly (Accessing private documents)
Yandex Browser (Accessing browser history, credentials, current session)
Exploit an XSS in Opencart by using CSRF (Ability to hijack sessions)

back to top