[WEB SECURITY] How are you tackling CSRF?

Sebastian Schinzel ssc at seecurity.org
Tue Apr 26 03:36:20 EDT 2011


Hi Rohit,

On Apr 25, 2011, at 10:06 AM, Rohit Pitke wrote:
> You are basically assuming that there is XSS on some of the requests. If there is no XSS,  even if you keep a value of your CSRF token same as cookies, it wont matter.
> Also, if we correctly implement CSRF on each and every page (including GET), that would automatically mitigate XSS too as a request carrying XSS string wont be accepted on server side. (Provided CSRF token validation is done strictly).
> 
> Thoughts?

It would only mitigate reflected XSS, but not persistent XSS.

In general, I would refrain from telling the developers that CSRF tokens also
mitigate reflected XSS. I fear that the developers could accept this as a 
"best practice to fix XSS" with all the negative implications. 

"Fixing" reflected XSS with CSRF tokens leads to a tightly coupled security
system, because as soon as CSRF protection fails, you have a much bigger
problem with reflected XSS.

Although, CSRF tokens may be temporal fix for reflected XSS that buys you time
to actually fix the reflected XSS with proper output encoding.

Cheers,
Sebastian



More information about the websecurity mailing list