[Owasp-delhi] Please clarify

Ranjan Kumar Ranjan.Kumar at headstrong.com
Wed Feb 4 12:34:54 EST 2009

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF ("sea-surf"[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

courtesy Wikipedia http://en.wikipedia.org/wiki/Cross-site_request_forgery


From: owasp-delhi-bounces at lists.owasp.org [owasp-delhi-bounces at lists.owasp.org] On Behalf Of Gunwant Singh [gunwant.s at gmail.com]
Sent: Wednesday, February 04, 2009 10:14 PM
To: Parmendra Sharma
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] Please clarify

Both are independent of each other. An application may be vulnerable to one of the attacks but not the other at the same time.

For a CSRF attack, an application does not need to be susceptible to XSS attack. Often, to execute an XSS attack, one needs to include a script in the context of the application. So if you can incorporate some scripting you can execute XSS. Although there are many variations to this, which is another story. For CSRF, one needs to execute code (not necessarily a script)  in the authentication context of the user that changes the state of the application. For example: Changing password, transfering money from his a/c to the attackers, etc.

Hope that helps. Let me know if any further clarification is required.


On Mon, Feb 2, 2009 at 4:35 PM, Parmendra Sharma <s.parmendra at gmail.com<mailto:s.parmendra at gmail.com>> wrote:
Hello All,

Please clarify the belowmentioned point:

"XSS flaws is susceptible to CSRF because a CSRF attack can exploit the XSS flaw to steal any non-automatically submitted credential that might be in place to protect against a CSRF attack"
Please mention the scenerio where both the vulnerabilities are in action....
Thanks and Regards:

Parmendra Sharma
Indian Computer Emergency Response Team (CERT-In)
Ministry of Information Technology
Government of India
6 C.G.O Complex
Lodhi Road
New Delhi

Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org<mailto:Owasp-delhi at lists.owasp.org>

Gunwant Singh

***The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review,retransmission,dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.***
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090204/151b8e0b/attachment.html 

More information about the Owasp-delhi mailing list