Skip to main content


Showing posts from July, 2010

Anti-CSRF measures and XSS

During an assessment of an application, I and my colleague Ronnie were discussing about a scenario in the application. The application had login section behind which there were few pages that were vulnerable to Reflected XSS. Application was also vulnerable to CSRF.Needless to say that we suggested anti-CSRF measures for the application. Although we also suggested anti-XSS measures but the anti-CSRF measures were good enough to mitigate any attempt to exploit the reflected XSS flaws on the pages behind authentication. The application was rejecting any external request. So any attempt to exploit the reflected XSS will bear no fruit in scenario like this. Anyways we had recommended fixing both flaws independently but I wanted to have a discussion over the issue . Lots of people responded to that. All were with the same suggestion- do fix both issues, don't take chance. But what I found most convincing were these arguments from MustLive and Lava: MustLive says: Hel