[Owasp-delhi] Please clarify

Soi, Dhruv dhruv.soi at owasp.org
Thu Feb 5 08:27:09 EST 2009

CSRF is just to force a user execute some command on the server in context
of his already authenticated session. User must be logged into the
application to make the CSRF work. This simple link can make CSRF work -->
<http://www.shopping.com/purchase.php?item=car&confirmed=1> &confirmed=1

It doesn't work if there is new browser instance, as in that case session
won't be valid but it can work in browser TAB. Attendees of last meeting can
recall Gunwant's discussion on the same point about Chrome browser and IE 8.


Whereas, till the time you don't want to steal client's session data, XSS
doesn't really rely on active session to do the trick. Payload would be
entirely different in this case, like -->
<script>alert("Mess with the best, die like the rest");</script>&confirmed=0


CSRF has nothing to do with XSS but when CSRF is launched with XSS it can
make a difference. 


If someone hasn't already read about MySpace Samy story, visit this link -->
http://namb.la/popular/  (No CSRF in the link) :-)


Many Thanks,




From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Gunwant Singh
Sent: Thursday, February 05, 2009 11:34 AM
To: Bipin Upadhyay
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] Please clarify


No, I do not agree with that.

On Wed, Feb 4, 2009 at 11:54 PM, Bipin Upadhyay <muxical.geek at gmail.com>

Gunwant Singh wrote: 

Both are independent of each other. An application may be vulnerable to one
of the attacks but not the other at the same time. 

I think there's a slight mistake here. An app vulnerable to XSS is
automatically vulnerable to CSRF.

For a CSRF attack, an application does not need to be susceptible to XSS
attack. Often, to execute an XSS attack, one needs to include a script in
the context of the application. So if you can incorporate some scripting you
can execute XSS. Although there are many variations to this, which is
another story. For CSRF, one needs to execute code (not necessarily a
script)  in the authentication context of the user that changes the state of
the application. For example: Changing password, transfering money from his
a/c to the attackers, etc.

Hope that helps. Let me know if any further clarification is required.


On Mon, Feb 2, 2009 at 4:35 PM, Parmendra Sharma <s.parmendra at gmail.com>

Hello All,


Please clarify the belowmentioned point:


"XSS flaws is susceptible to CSRF because a CSRF attack can exploit the XSS
flaw to steal any non-automatically submitted credential that might be in
place to protect against a CSRF attack"

Please mention the scenerio where both the vulnerabilities are in action....
Thanks and Regards:

Parmendra Sharma
Indian Computer Emergency Response Team (CERT-In)
Ministry of Information Technology
Government of India
6 C.G.O Complex
Lodhi Road
New Delhi

Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org

Gunwant Singh



Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org

--Bipin Upadhyay.

Gunwant Singh

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090205/a0c98b60/attachment-0001.html 

More information about the Owasp-delhi mailing list