Re: [WEB SECURITY] Suggestions for the CSRF FAQ

[Stefan Esser <sesser@xxxxxxxxxxxxxxxx>]

> *** Before you start adding CSRF protection ***
>
> The first step in protecting your application against CSRF is to fix
> any cross-site scripting vulnerabilities.  If your application is
> vulnerable to XSS, CSRF protection is not possible.  Javascript
> malware will defeat whatever protection you put in place.
It is simply not true that XSS makes CSRF protection impossible.
First of all there is always the good old e-mail verification that
protects against unintended requests.
Then it should be perfectly possible to create a 2 phase system that
shows a CAPTCHA to the user that additionally to the 'passkey' contains
information about the action (so that JS malware does not simply change
the action on the fly)
And then there are different complicated but feasible techniques
(ab)using the cross domain policy against XSS malware.

Stefan Esser

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]