[Catalyst] Re: CSRF

Aristotle Pagaltzis pagaltzis at gmx.de
Wed Oct 1 15:23:19 BST 2008


* Moritz Onken <onken at houseofdesign.de> [2008-10-01 12:55]:
> but this does still rely on the fact that there is no XSS issue
> on your page, doesn't it?

So what? If your site has an XSS hole, it’s already game over.
The attacker can inject Javascript that passes the same-origin
policy blockade, so they can already do whatever the hell they
want.

> I imagine a case where the attacker's site opens a iframe to
> your site which exploits a XSS issue and can send the hole form
> information back to the attacker's site. He has now the HMAC
> and the random string.

Using an XSS hole to initiate a CSRF attack is like breaking in
through the window to steal the house keys so you can unlock the
front door. Attackers don’t build Rube Goldberg contraptions.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>



More information about the Catalyst mailing list