[Owasp-delhi] Please clarify
gunwant.s at gmail.com
Wed Feb 4 11:44:34 EST 2009
Both are independent of each other. An application may be vulnerable to one
of the attacks but not the other at the same time.
For a CSRF attack, an application does not need to be susceptible to XSS
attack. Often, to execute an XSS attack, one needs to include a script in
the context of the application. So if you can incorporate some scripting you
can execute XSS. Although there are many variations to this, which is
another story. For CSRF, one needs to execute code (not necessarily a
script) in the authentication context of the user that changes the state of
the application. For example: Changing password, transfering money from his
a/c to the attackers, etc.
Hope that helps. Let me know if any further clarification is required.
On Mon, Feb 2, 2009 at 4:35 PM, Parmendra Sharma <s.parmendra at gmail.com>wrote:
> Hello All,
> Please clarify the belowmentioned point:
> "XSS flaws is susceptible to CSRF because a CSRF attack can exploit the XSS
> flaw to steal any non-automatically submitted credential that might be in
> place to protect against a CSRF attack"
> Please mention the scenerio where both the vulnerabilities are in
> Thanks and Regards:
> Parmendra Sharma
> Indian Computer Emergency Response Team (CERT-In)
> Ministry of Information Technology
> Government of India
> 6 C.G.O Complex
> Lodhi Road
> New Delhi
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-delhi