[WEB SECURITY] Anti-CSRF mesaues will mitigate XSS

Jacky Jack jacksonsmth698 at gmail.com
Sat Jun 26 08:44:48 EDT 2010


Yes, it's not wise for always to add Anti-CSRF meatures in every GET request
because of server load.  Defense against CSRF and XSS is a different thing.
Anti-CSRF meature is prone to miss XSS protection.


On Fri, Jun 25, 2010 at 11:01 AM, Santhosh Kumar K <santoshkumar at temenos.com
> wrote:

>  Hi,
>
>
>
> I too came across such a discussion before and we concluded that fixing
> CSRF with random tokens attached with ever request would fix CSRF & XSS is
> not possible because at the time of attack the token invalidates.
>
>
>
> Regards,
>
> *K. Santhosh Kumar*
>
> *Application Security Testing Engineer ***
>
> Security Technology
>
> Tel: 044-4223 1563
>
>
>
> *TEMENOS*
> The Banking Software Company
>
>
>
> *Security is a state of mind!!!*
>
>
>
> *From:* nilesh kumar [mailto:nileshkumar83 at yahoo.co.in]
> *Sent:* Thursday, June 24, 2010 2:09 PM
>
> *To:* websecurity at webappsec.org
> *Subject:* [WEB SECURITY] Anti-CSRF mesaues will mitigate XSS
>
>
>
> Hi List,
>
>
> Although it's not a new idea. But during an assessment of an application, I
> and my colleague was discussing about a scenario in the application. The
> application had login section behind which there were few pages that were
> vulnerable to Reflected XSS. Application was also vulnerable to CSRF.
> Needless to say that we suggested anti-CSRF measures for the application.
> Although we also suggested anti-XSS measures but the anti-CSRF measures were
> good enough to mitigate any attempt to exploit the reflected XSS flaws on
> the pages behind authentication. The application was rejecting any external
> request.
>
> So any attempt to exploit the reflected XSS will bear no fruit in scenario
> like this.
>
> Your valuable thoughts?
>
> Thanks & Regards,
> Nilesh Kumar,
> Security Analyst
> Honeywell, India
> http://nileshkumar83.blogspot.com
>
>
>
> The information in this e-mail and any attachments is confidential and may be legally privileged.
> It is intended solely for the addressee or addressees. Any use or disclosure of the contents
> of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful.
> If you have received this e-mail in error please notify the sender.
> Please note that any views or opinions presented in this e-mail are solely those of the author and
> do not necessarily represent those of TEMENOS.
> We recommend that you check this e-mail and any attachments against viruses.
> TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100626/1f84d888/attachment.html>


More information about the websecurity mailing list