[WEB SECURITY] CSRF and Header Forging - your thoughts needed

Achim Hoffmann webappsec at securenet.de
Sat May 29 04:39:29 EDT 2010

!! If the app has an XSS flaw then adding in CSRF tokens doesn't help
!! since, as you said, the attack payload could scrape the token and
!! submit it in the CSRF forced request.

Assuming that we're talking about CSRF in application after a user passed
his credentials (login):
if the token is in the URL, the XSS must be s persistent/stored XSS.
And that's not enough: it must be a persistent XSS accessable in the page
protected by the token in its URL.

That's a very high bar for an attacker if the token is random.


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list