.

XSS combined with CSRF

<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Mon Apr 02, 2007 10:00 am

XSS combined with CSRF

I found an interesting article over at the Dark Reading website about a technique that was recently covered at Black Hat Europe.  The hack involves combining XSS and CSRF to gain control of a browser and launch attacks against other sites using the users level of access. 

An example giving in the article would be to gain control of a corporate users browser and then attack corporate servers from inside the firewall.

http://www.darkreading.com/document.asp?doc_id=120801&WT.svl=news1_4

If you're like me, and you've never heard of CSRF before, you can read about it in more detail at wikipedia!  http://en.wikipedia.org/wiki/CSRF
<<

heffnercj

EH-Net Columnist
EH-Net Columnist

Posts: 69

Joined: Thu Mar 15, 2007 2:45 pm

Post Mon Apr 02, 2007 10:54 am

Re: XSS combined with CSRF

XSS and CSRF are everywhere, and I don't think that most people are really taking them seriously enough. There are some really awesome XSS attacks that can be done, and as this article shows, when combined with CSRF you aren't safe from them even if your site has no XSS what so ever. I'd reccommend checking out sla.ckers.org, ha.ckers.org and jeremiah grossman's blog, they all have a lot of cool XSS-related information.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software