[Catalyst] Re: CSRF
Aristotle Pagaltzis
pagaltzis at gmx.de
Wed Oct 1 15:23:19 BST 2008
* Moritz Onken <onken at houseofdesign.de> [2008-10-01 12:55]:
> but this does still rely on the fact that there is no XSS issue
> on your page, doesn't it?
So what? If your site has an XSS hole, it’s already game over.
The attacker can inject Javascript that passes the same-origin
policy blockade, so they can already do whatever the hell they
want.
> I imagine a case where the attacker's site opens a iframe to
> your site which exploits a XSS issue and can send the hole form
> information back to the attacker's site. He has now the HMAC
> and the random string.
Using an XSS hole to initiate a CSRF attack is like breaking in
through the window to steal the house keys so you can unlock the
front door. Attackers don’t build Rube Goldberg contraptions.
Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>
More information about the Catalyst
mailing list