XSS combined with CSRF

[mn_kthompson]

I found an interesting article over at the Dark Reading website about a technique that was recently covered at Black Hat Europe.  The hack involves combining XSS and CSRF to gain control of a browser and launch attacks against other sites using the users level of access. 

An example giving in the article would be to gain control of a corporate users browser and then attack corporate servers from inside the firewall.

http://www.darkreading.com/document.asp?doc_id=120801&WT.svl=news1_4

If you're like me, and you've never heard of CSRF before, you can read about it in more detail at wikipedia!  http://en.wikipedia.org/wiki/CSRF

[Craig]

XSS and CSRF are everywhere, and I don't think that most people are really taking them seriously enough. There are some really awesome XSS attacks that can be done, and as this article shows, when combined with CSRF you aren't safe from them even if your site has no XSS what so ever. I'd reccommend checking out sla.ckers.org, ha.ckers.org and jeremiah grossman's blog, they all have a lot of cool XSS-related information.