[Catalyst] Re: CSRF (plus session security)

[Aristotle Pagaltzis]

* Bill Moseley <moseley at hank.org> [2008-10-01 20:45]:
> Where on the risk spectrum is CSRF compared to, say, session
> hijacking?

It’s even harder than XSS to pull off, and requires even closer
involvement of the attacker, but if they succeed, they can
overcome barriers that could prevent an XSS attack from doing
too much harm.

In a sense, it’s the next step in the progression from CSRF to
XSS. CSRF is dangerous primarily because of how easy it is to
set up an attack.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>