[Owasp-delhi] Please clarify

Gunwant Singh gunwant.s at gmail.com
Thu Feb 5 01:03:46 EST 2009


No, I do not agree with that.

On Wed, Feb 4, 2009 at 11:54 PM, Bipin Upadhyay <muxical.geek at gmail.com>wrote:

>  Gunwant Singh wrote:
>
> Both are independent of each other. An application may be vulnerable to one
> of the attacks but not the other at the same time.
>
> I think there's a slight mistake here. An app vulnerable to XSS is
> automatically vulnerable to CSRF.
>
>
> For a CSRF attack, an application does not need to be susceptible to XSS
> attack. Often, to execute an XSS attack, one needs to include a script in
> the context of the application. So if you can incorporate some scripting you
> can execute XSS. Although there are many variations to this, which is
> another story. For CSRF, one needs to execute code (not necessarily a
> script)  in the authentication context of the user that changes the state of
> the application. For example: Changing password, transfering money from his
> a/c to the attackers, etc.
>
> Hope that helps. Let me know if any further clarification is required.
>
> Regards,
> Gunwant
>
> On Mon, Feb 2, 2009 at 4:35 PM, Parmendra Sharma <s.parmendra at gmail.com>wrote:
>
>> Hello All,
>>
>> Please clarify the belowmentioned point:
>>
>> "XSS flaws is susceptible to CSRF because a CSRF attack can exploit the
>> XSS flaw to steal any non-automatically submitted credential that might be
>> in place to protect against a CSRF attack"
>> Please mention the scenerio where both the vulnerabilities are in
>> action....
>> --
>> Thanks and Regards:
>>
>> Parmendra Sharma
>> Indian Computer Emergency Response Team (CERT-In)
>> Ministry of Information Technology
>> Government of India
>> 6 C.G.O Complex
>> Lodhi Road
>> New Delhi
>>
>> _______________________________________________
>> Owasp-delhi mailing list
>> Owasp-delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>
>>
>
>
> --
> Gunwant Singh
>
> ------------------------------
>
> _______________________________________________
> Owasp-delhi mailing listOwasp-delhi at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-delhi
>
> --Bipin Upadhyay.
>



-- 
Gunwant Singh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090205/2283b3a3/attachment-0001.html 


More information about the Owasp-delhi mailing list