[WEB SECURITY] Anti-CSRF mesaues will mitigate XSS

Santhosh Kumar K santoshkumar at temenos.com
Fri Jun 25 03:55:42 EDT 2010


Hi Erlend,

You are Correct, I forget to mention about the GET and POST requests.
Ofcourse we can't bind tokens for GET requests because of the
requirement of bookmarking webpage etc..  

Regards,
K. Santhosh Kumar


-----Original Message-----
From: Erlend Oftedal [mailto:erlend at oftedal.no] 
Sent: Friday, June 25, 2010 12:54 PM
To: Santhosh Kumar K
Cc: nilesh kumar; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Anti-CSRF mesaues will mitigate XSS


Hi

This sounds a bit too generic in my opinion.
Reflected XSS can occur on both POST and GET. If you add XSRF tokens to 
both POST and GET, that will make it impossible to create a url with a 
reflected XSS attack, because - as you said - the token expires. However
I would probably be very hesitant to ever add XSRF tokens to get
requests,
because this also has the drawback of making it impossible for users to 
bookmark, send urls to others etc.

Imho a GET request should never change anything server side, and thus a
XSRF token is not really needed. As long as one adhers to this policy,
bookmarking etc. works as expected.

And of course stored XSS will still be possible.

XSS is a matter of properly escaping your data depending on context. I 
would never recommend XSRF tokens as a solution for XSS problems. What
if 
you at some point down the road change to not use XSRF tokens on GET,
and 
forget that this is also supposed to protect against XSS.


-
Erlend Oftedal


On Fri, 25 Jun 2010, Santhosh Kumar K wrote:

> Hi,
>
>
>
> I too came across such a discussion before and we concluded that
fixing CSRF with random tokens attached with ever request would fix CSRF
& XSS is not possible because at the time of attack the token
invalidates.
>
>
>
> Regards,
>
> K. Santhosh Kumar
>
> Application Security Testing Engineer
>
> Security Technology
>
> Tel: 044-4223 1563
>
>
>
> TEMENOS
> The Banking Software Company
>
>
>
> Security is a state of mind!!!
>
>
>
> From: nilesh kumar [mailto:nileshkumar83 at yahoo.co.in]
> Sent: Thursday, June 24, 2010 2:09 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Anti-CSRF mesaues will mitigate XSS
>
>
>
> Hi List,
>
> Although it's not a new idea. But during an assessment of an
application, I and my colleague was discussing about a scenario in the
application. The application had login section behind which there were
few pages that were vulnerable to Reflected XSS. Application was also
vulnerable to CSRF.
> Needless to say that we suggested anti-CSRF measures for the
application. Although we also suggested anti-XSS measures but the
anti-CSRF measures were good enough to mitigate any attempt to exploit
the reflected XSS flaws on the pages behind authentication. The
application was rejecting any external request.
>
> So any attempt to exploit the reflected XSS will bear no fruit in
scenario like this.
>
> Your valuable thoughts?
>
> Thanks & Regards,
> Nilesh Kumar,
> Security Analyst
> Honeywell, India
> http://nileshkumar83.blogspot.com
>
>
>
>
> The information in this e-mail and any attachments is confidential and
may be legally privileged.
> It is intended solely for the addressee or addressees. Any use or
disclosure of the contents
> of this e-mail/attachments by a not intended recipient is unauthorized
and may be unlawful.
> If you have received this e-mail in error please notify the sender.
> Please note that any views or opinions presented in this e-mail are
solely those of the author and
> do not necessarily represent those of TEMENOS.
> We recommend that you check this e-mail and any attachments against
viruses.
> TEMENOS accepts no liability for any damage caused by any malicious
code or virus transmitted by this e-mail.
>
>
The information in this e-mail and any attachments is confidential and may be legally privileged. 
It is intended solely for the addressee or addressees. Any use or disclosure of the contents 
of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. 
If you have received this e-mail in error please notify the sender. 
Please note that any views or opinions presented in this e-mail are solely those of the author and 
do not necessarily represent those of TEMENOS. 
We recommend that you check this e-mail and any attachments against viruses. 
TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail.


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates



More information about the websecurity mailing list