[WEB SECURITY] Anti-CSRF mesaues will mitigate XSS
p0wnsauc3 at gmail.com
Thu Jun 24 23:12:15 EDT 2010
Well most of the time it happens so, one recommendation would have changes on the other findings as well. Offcourse only to hope the team plugging the holed in not adding more bugs to it :-)
As far as the CSRF getting fixed because of your recommendation is good, but fixing both the issues independently is important. Both XSS and CSRF are independent of each other.
Sent from BlackBerry® - Vodafone
From: nilesh kumar <nileshkumar83 at yahoo.co.in>
Date: Thu, 24 Jun 2010 14:09:27
To: <websecurity at webappsec.org>
Subject: [WEB SECURITY] Anti-CSRF mesaues will mitigate XSS
Although it's not a new idea. But during an assessment of an application, I and my colleague was discussing about a scenario in the application. The application had login section behind which there were few pages that were vulnerable to Reflected XSS. Application was also vulnerable to CSRF.
Needless to say that we suggested anti-CSRF measures for the application. Although we also suggested anti-XSS measures but the anti-CSRF measures were good enough to mitigate any attempt to exploit the reflected XSS flaws on the pages behind authentication. The application was rejecting any external request.
So any attempt to exploit the reflected XSS will bear no fruit in scenario like this.
Your valuable thoughts?
Thanks & Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity