[Catalyst] Re: CSRF

Moritz Onken onken at houseofdesign.de
Wed Oct 1 15:33:36 BST 2008

Am 01.10.2008 um 16:23 schrieb Aristotle Pagaltzis:

> * Moritz Onken <onken at houseofdesign.de> [2008-10-01 12:55]:
>> but this does still rely on the fact that there is no XSS issue
>> on your page, doesn't it?
> So what? If your site has an XSS hole, it’s already game over.
> The attacker can inject Javascript that passes the same-origin
> policy blockade, so they can already do whatever the hell they
> want.
>> I imagine a case where the attacker's site opens a iframe to
>> your site which exploits a XSS issue and can send the hole form
>> information back to the attacker's site. He has now the HMAC
>> and the random string.
> Using an XSS hole to initiate a CSRF attack is like breaking in
> through the window to steal the house keys so you can unlock the
> front door. Attackers don’t build Rube Goldberg contraptions.
> Regards,

Yeah you're right. Good point ;-)

More information about the Catalyst mailing list