As someone who is a complete novice, and is trying to learn about how to make websites, Tom Scott has made me terribly afraid of screwing something up and having a massive security hole.

Tom, I'm never going to your blog, that's for sure now.

"But since then, it's got a bit more complicated" -Tom Scott, 2013, describing the internet and the history of the universe in one sentence.

"My hand has lower ambitions than my brain does" Yeaaah I know the feel...

The funniest thing about your videos is when you talk as if you were the server, interpreter, code or whatever! It would be funny as hell if that was the case, imagine trying to do something malicious, and having the server respond "Well, that's wrong. I'm not having that." in Tom's voice!

I love how passionate Tom is about this. You can really see it in his face and hear it in his voice.

After just graduating with a Bachelor of Computer Science, I can safely say I would have loved to have this guy as a lecturer; he explains things simply, clearly, interestingly and correctly! I'd like to say a big thanks to the Tom and the Computerphile team for spending their time and effort to make these great videos!

Please, don't ever stop making these.

where's the brown paper?

I remember 6 years ago (I was 12), I'd mess around with chat rooms for fun. Of course, doing so itself was stupid, but it taught me about modifying post-actions and functions, and also about proper security in how users interact with websites. Basically, I had a plugin that let me edit post data before it was sent to the site. I'd mess around with the chat a few times, see what values changed in the post data, and then figured out what separate parts and values in the data were for. Eventually, I figured out how to modify the sessionID to be the same as other users, so that I didn't have to be in the chat to play around with it. I also learned how to mess with chat servers screen-name authentication, and to modify my screen-name when I was in the chat. Worst-yet, I learned how to modify user-permissions and mess around with the admin-panel login page so that the chat server thought I was an authentic admin that logged in through the admin-panel and let me use admin operations. Of course, at the time I used it for immature things, but I eventually started thinking of ways for how the website could have avoided those problems. That sort of thinking helped inspire me to think in-depth about security in my programming projects.

These Tom Scott videos are so addictive, I can't stop watching! xD

Tom Scott is quickly becoming one of my favourite people on the internet. He's the kind of person i'd have wanted to be best friends with if we'd been kids at the same time and place

Tom is probably my favorite person on this channel. I just love the way he talks and I love the topics he has.

These are some of my favorite vids on computerphile! Security issues affect everyone and we need more clear explanations. I'd love for Tom to tackle jailbreaking.

This video inspired me to try to "steal" my CSRF token (as if I was trying to hack my own account). I the process I reinvented cross-origin HTTP requests and clickjacking. Turns out both this attacks are well-known and defended against.

These are awesome. This guy makes Computerphile the channel I look forward to. More of him.

Got an exam on this tomorrow, this was so helpful for me, thanks! The way you explain things makes them easily accessible

It's good having an episode of computerphile, mainly because the intricate and important details in computer are _so complicated_ even though I (thought) that I knew about computers. This kinda gives me a foundation. Also you should probably talk about logic gates, whether it's minecraft or whatnot, they explain how you could have to light switches for one light

Being a web-developer I highly enjoy this series. Tom really knows what he is talking about, and I just love the enthusiasm.

Great and informative video as always. Loving the amount of Tom on this channel.

I know little about IT or programming, but your videos are always very informative and easy to understand, so thanks!

Just wanting to let you guys not know that you are doing a great job I love watching your videos and always get excited when I see that you posted another one. I'm 16 years old and enjoy programming but thoose videos add another point of view to it and really get you thinking Greetings from Germany

This is great! :D I love the way Tom explains advanced terms in really simple ideas

This channel is absolutely amazing!

This mini series on security is just wonderfull. Love the content, love the voice, it's just great.

Ironically I saw "nonce" today in a code and I thought someone didn't follow code standard for nOnce or n_once. Now I know what they meant.

these videos jus seem to come right after i've implemented something for a project in my courses ... Thank you for informing me of these things, heavens knows I'll need them in the field

You'd be surprised how many web devs don't know about this in 2023

Very informative and explained in a simple and understandable manner. That's why Tom is my favorite, though I enjoy watching the others, too!

Can't i just load the other form in an invisible Iframe and then parse and search through the html retrieved? Use the token info and create my own form.

Tom, You are the best. Keep making those excellent videos.

Another great video guys, looking forward to more cool explanations. Keep up the awesome work!

Best quality of explaining anything ever possible!! Thanks A TONNN!

Excellent description of XSRF. Thank you. I understand the concept and defenses now.

This was really interesting. I was aware of cross-site-scripting and sql Injection but I had never heard of this. Thanks :)

I always wondered how Wordpress' nonce hash works. Thanks for the enlightenment!

Holy crap! While I have enjoyed these videos since the start of computerphile, this is the first time I directly learned, or more rightly, realized something. I do have webpages that are badly coded like this. Time to go off and fix!

This guy is an excellent presenter. Please, more of him.

Very helpful. I liked both the content and the way you described the CSRF. Thanks!!

Awesome video,great help. I'm always waiting for your new videos .

Great explanation, I did know this sort of attack existed but had never given much thought about how to mitigate it.

The tale in the beginning about POST and GET requests is a bit of an ideal case too. Many sites actually work just as well if instead of a GET request you make a POST request with the same content, or vice versa.

Love your videos! I will doing web computing in September at uni and these videos are excellent! Thanks

Actually learned this now by the video. Quite interesting and will eb sure to include this in serious projects in the future.

This guy is amazing! More videos by him please!

Will Tom be a regular? His bits are great.

I simply love all the Tom's videos, very well explained. Keep going with the good content, Mr. Red T-shirt haha - I don't know if it is intentional or not, so I don't want to be a jerk. :p.

I love this guy please keep making more videos with him

This is indeed a big security hole. I did not know what CSRF did before so I couldn't apply a patch to my site. I can now though. Thanks Tom/Numberphile. Nicely explained :)

It's also a good idea to add the action to the seed which generates the nonce, so the nonce to post a comment is different from the one which allows you to delete your account. If you combine that with the username and set a short timeout the users needs to have been on the form which does the action, somehow you need to be able to steal that nonce and get them to go to your infected page. It's basically no longer a security issue in that case. When someone loads a form they usually intend to fill it out and you could even track when they leave the form to immediately invalidate the nonce.

Nice video ! I already heard about it but I didn't understood everything, so you've made the web a safer place !

I've just watched the video, it was really helpful on my course! Thanks! 🙂

I know this is not relevant to this video, but can you do a video on elliptic curve RSA cryptography?

Awesome Video, Systems security is to my mind the best subject to do videos on, keep doing that, this is very interesting, very useful ! Keep UP that good work

Thanks for the video. This is really useful.

I've been looking for a video that I can send to my non-techie friends to give them slight idea about XSRF. This video is what I've seen so far that's lay-man friendly.

Great Video. As a novice web developer these videos help immensely. Keep them coming. A video on how to design a site which can be logged into securely would be very helpful.

Excellent explanation in simplest terms!

So...what the hell does nonce mean in Britain?

Great, now i've got to rewrite the project i'm working on. I didn't know about this and it's so obvious. Good video!

still relevant even nowadays how beautiful

Oh wow. It's funny seeing people writing about how they implemented a 'nonse'. If only they they knew. This was a great video! Tom is always so enthusiastic, it's great! One request would be making the felt tipped pen sound quieter/non existent. It makes my toes curl!

Thank you Dawson from Dawson's Creek!

you request the token with your script and later in the script you use that token easy if the form is standardized-like deleting enemy facebook pages

Awesome...never even thought of such security issue...I think chrome's sandboxing of the tabs won't help here coz I have seen the sessions and cookies are shared across tabs....Keep it coming - love the videos

Really interesting! But how do you know if your bank, etc. is using the token system? Also, can we get a computerphile video explaining bitcoin?

been waiting for this video

I love these videos, thank you.

I have heard about this before, but there's a simple way around it. The problem with it is that the same malicious form on the unrelated blog can still submit a page request on the target site and grab the token before submitting to the page that actually does the damage. All it takes is a little bit of PHP knowledge, some knowledge of HTTP request headers, and a little ingenuity. Still, it's good to know how and why to do this.

Hmmmm, time to add that to my project! :P Thank you Computerphile!

Here's one consideration on how important it is to validate user input on the server side. Take any disabled html element. Open up firebug console and run some javascript, eg. using jQuery syntax: $('input').removeAttr('disabled'); $('input').removeAttr('readonly');. Then happily make any changes to the input elements and submit the changes.

Brilliant Video! Awesome and clear explanation!

Ya know, if accepting request from other website would work, then the form would likely be accessible by javascript running from the other website as well. Which means, my javascript could request the form, look for that random string of characters (fairly easily too) and add it to its spoofed request, meaning we would be back to square one.

Why does the camera randomly zoom in some times? it's really distracting.

This guy is so good. More of him! :D

thanks for this magnificent explanation!

I'm a web developer and I didn't know the solution. Thank you very much.

Tom Scott, I want to visit your awesome blog.

This guy's videos are brilliant! Web security and hacking is so interesting. :)

The easiest way to get around most of these: Use a solid framework which helps prevent all these attack types. Take Ruby on Rails for example. While not perfect, the latest version is pretty good at avoiding SQL injection, XSS, and CSRF, along with other built in things, like secure cookies, and proper storage of passwords... with a framework doing most of the basic stuff, it's up to the developer not to do anything stupid.

Being able to create your own version of a form a send that is a problem in general, as you could also strip out any checks in the original form you don't like.

I get the concept of the token, but how does the server know if a token is valid once it gets the request? Since the web is stateless, it creates the form with a random token, then sends it on its way. So how does the server know if a token it gets back is valid? Store valid tokens in memory or a database?

great vid ! So on a website you would store in a database the csrf token everytime a user logs in ?

great explanation with a fantastic example! at the end you talked about how we should check if a token is being sent - how can we do this? is it just making sure we have the https instead of http in the URL?

Love this guy! Great video(s)!

Tom is good, a very good presenter.

Ty for those lessons, they are so cool!!!

Couldn't you get around the one-time key thing by creating a hidden/tiny/offscreen (i)frame for the ‘transfer money’ form on the bank website, and then use JavaScript to automatically submit the form?

It just gets better!

You can easily get around the random number thing just by making a PHP request to the site and grabbing that form element and inserting it right into your page! Then the random token will be correct everytime because the data is coming directly from the server.

Lucky for me, I have learnt this in first class of my education.

Ohhhhhh, so that's what the nonce thing is. Thanks Tom!

And here's the third one... Tom great as always. By the way, with Django framework the way to prevent it is as simple and comfortable as adding {% csrf_token %} inside the form tag =).

"A bit more complicated". My new catch phrase. :)

More from this guy!

I just learned about nonces yesterday and implemented one ;)

Interesting as always!

Wonder if the games I play use it in their deletion form? _goes off to make a post in the staff forum to bring it to their attention just in case_

Thank you. Is there a way to know if a site is using tokens?

Thanks for helping me learn the valuable lesson of what a 'nonce' is in UK.