[WEB SECURITY] Anti-CSRF mesaues will mitigate XSS

Paul Johnston paul.johnston at pentest.co.uk
Fri Jun 25 09:40:23 EDT 2010


> Although it's not a new idea. But during an assessment of an application, I and my colleague was discussing about a scenario in the application. The application had login section behind which there were few pages that were vulnerable to Reflected XSS. Application was also vulnerable to CSRF. 
> Needless to say that we suggested anti-CSRF measures for the application. Although we also suggested anti-XSS measures but the anti-CSRF measures were good enough to mitigate any attempt to exploit the reflected XSS flaws on the pages behind authentication. The application was rejecting any external request. 

Although this scenario seems worrying, it is basically tight - it
prevents malicious exploitation.

Some caveats:

The CSRF token must be tied to users' sessions. If a user can construct
an attack using their own token and send this to another user, there is
still a vulnerability.

It only protects form targets with CSRF protection. Often there are many
parts of an application that won't have this protection, e.g. URL
parameters used by the application between pages.

It doesn't help with stored XSS.

A user can still XSS themselves. This is not really a security risk, but
you could potentially end up on XSSed.org with them saying "paste
<script>alert(1)</script> into this form field, press submit - and look,
you're vulnerable".



Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 

WASC on Twitter

More information about the websecurity mailing list