[Owasp-delhi] Please clarify

Bipin Upadhyay muxical.geek at gmail.com
Thu Feb 5 00:54:04 EST 2009


Gunwant Singh wrote:
> Both are independent of each other. An application may be vulnerable 
> to one of the attacks but not the other at the same time.
I think there's a slight mistake here. An app vulnerable to XSS is 
automatically vulnerable to CSRF.
>
> For a CSRF attack, an application does not need to be susceptible to 
> XSS attack. Often, to execute an XSS attack, one needs to include a 
> script in the context of the application. So if you can incorporate 
> some scripting you can execute XSS. Although there are many variations 
> to this, which is another story. For CSRF, one needs to execute code 
> (not necessarily a script)  in the authentication context of the user 
> that changes the state of the application. For example: Changing 
> password, transfering money from his a/c to the attackers, etc.
>
> Hope that helps. Let me know if any further clarification is required.
>
> Regards,
> Gunwant
>
> On Mon, Feb 2, 2009 at 4:35 PM, Parmendra Sharma 
> <s.parmendra at gmail.com <mailto:s.parmendra at gmail.com>> wrote:
>
>     Hello All,
>      
>     Please clarify the belowmentioned point:
>      
>     "XSS flaws is susceptible to CSRF because a CSRF attack can
>     exploit the XSS flaw to steal any non-automatically submitted
>     credential that might be in place to protect against a CSRF attack"
>     Please mention the scenerio where both the vulnerabilities are in
>     action....
>     -- 
>     Thanks and Regards:
>
>     Parmendra Sharma
>     Indian Computer Emergency Response Team (CERT-In)
>     Ministry of Information Technology
>     Government of India
>     6 C.G.O Complex
>     Lodhi Road
>     New Delhi
>
>     _______________________________________________
>     Owasp-delhi mailing list
>     Owasp-delhi at lists.owasp.org <mailto:Owasp-delhi at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
>
> -- 
> Gunwant Singh
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>   
--Bipin Upadhyay.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090205/16547aab/attachment-0001.html 


More information about the Owasp-delhi mailing list