[Catalyst] Re: CSRF

[Aristotle Pagaltzis]

* Ashley <apv at sedition.com> [2008-09-30 19:30]:
> If scripting is involved that makes it a XSS attack instead,
> though. No?

No.

XSS means injecting attacker-controlled HTML into a page. That’s
usually used to inject Javascript, but doesn’t have to; just HTML
could work just as well. The attack takes place when the victim
visits a page on the vulnerable site and can cause anything to
happen, including sending sensitive information from that page to
third parties.

CSRF means getting the victim’s browser to send a request to the
vulnerable site. It makes use of what’s sometimes referred to as
“ambient authentication,” ie. the victim is already logged into
the vulnerable site, eg. with a remember-me-forever cookie, which
the CSRF attack relies on to trigger actions that require
authentication. The attack can take place anywhere on the web at
all (you just have to get the victim to visit a site you control)
but can only trigger functions of the vulnerable site.

There is some overlap in what you can achieve with the two routes
of attack, but the overall risk profiles are different. The main
thing to keep in mind is that CSRF holes are much easier to
exploit, by virtue of the fact that attacks can be initiated from
any page on the web.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>