[Owasp-delhi] Please clarify

Soumyendu Das Soumyendu.Das at itc.in
Tue Feb 3 06:32:50 EST 2009

Dear Pamendra,

I can give you an example where both CSRF and XSS vulnerabilities both are 
in action to amplify the severity of attack.
If one application is allowing to store javascript from User Input and 
display the same somewhere in the site(e.g. area 11) , then it is very 
easy to store 
<img> or <iframe> tag or any other javascript to perform an unauthorized 
actions such as fund transfer (actions which are normally performed with 
CSRF attack) ,stealing the authentication cookie etc.
Now if the application is vulnerable to CSRF then those stored malicious 
javascript will be executed when the victim visit the area (area 11) of 
the site after authentication which is one of the prime requirement of 
CSRF attack.
Often it is referred as Stored CSRF attack but actually it is the CSRF in 
conjunction with XSS attack. 

Kind Regards
Soumyendu Das
Associate IT Consultant
Application Security Team,ITC Infotech India Ltd.
Mobile - (0)9830657905

Parmendra Sharma <s.parmendra at gmail.com> 
Sent by: owasp-delhi-bounces at lists.owasp.org
02/02/2009 04:35 PM

owasp-delhi at lists.owasp.org

[Owasp-delhi] Please clarify

Hello All,
Please clarify the belowmentioned point:
"XSS flaws is susceptible to CSRF because a CSRF attack can exploit the 
XSS flaw to steal any non-automatically submitted credential that might be 
in place to protect against a CSRF attack"
Please mention the scenerio where both the vulnerabilities are in 
Thanks and Regards:

Parmendra Sharma
Indian Computer Emergency Response Team (CERT-In)
Ministry of Information Technology
Government of India
6 C.G.O Complex
Lodhi Road
New Delhi_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org

Can you avoid printing this?
Think of the environment before printing the email.
Please visit us at www.itcportal.com
This Communication is for the exclusive use of the intended recipient (s) and shall
not attach any liability on the originator or ITC Ltd./its Subsidiaries/its Group 
Companies. If you are the addressee, the contents of this email are intended for your 
use only and it shall not be forwarded to any third party, without first obtaining 
written authorisation from the originator or ITC Ltd./its Subsidiaries/its Group 
Companies. It may contain information which is confidential and legally privileged
and the same shall not be used or dealt with by any third party in any manner 
whatsoever without the specific consent of ITC Ltd./its Subsidiaries/its Group 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090203/6a9d2a05/attachment.html 

More information about the Owasp-delhi mailing list