I found an interesting article over at the Dark Reading website about a technique that was recently covered at Black Hat Europe. The hack involves combining XSS and CSRF to gain control of a browser and launch attacks against other sites using the users level of access.
An example giving in the article would be to gain control of a corporate users browser and then attack corporate servers from inside the firewall.
XSS and CSRF are everywhere, and I don’t think that most people are really taking them seriously enough. There are some really awesome XSS attacks that can be done, and as this article shows, when combined with CSRF you aren’t safe from them even if your site has no XSS what so ever. I’d reccommend checking out sla.ckers.org, ha.ckers.org and jeremiah grossman’s blog, they all have a lot of cool XSS-related information.
Viewing 1 reply thread
You must be logged in to reply to this topic.
– EH-Net Live!“CISO Underrepresented“ w/ Mark Arnold and Steph Ihezukwu on Tues June 30 @ 1:00 PM US ET. Reg Open Now!