[WEB SECURITY] Csrf - parse for tokens and reuse

Paul Johnston paul.johnston at pentest.co.uk
Tue May 4 05:54:46 EDT 2010


Hi,

> If you can really prevent a fully customized XSS attack from performing
> CSRF, I'd love to hear about it, but I don't see how any of these approaches
> would work.

In the general case, I don't think you can.

If you have certain especially sensitive operations to protect, you can
do this by requiring the user to re-enter their password, or enter a
value from a token or SMS.

Paul

-- 
Paul Johnston
IT Security Consultant
Pentest Limited

Office: +44 (0) 161 233 0100
Fax:    +44 (0) 161 233 0990
Mobile:    +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list