XSS vs CSRF - What is more dangerous?
There's been a lot of talk of lately about the 'new' Cross Site Request Forgery (CSRF) vulnerabilities that are apparently present in nearly every web application in the world. The fact that big name websites (read: yahoo & google) have this vulnerability make people even more scared.
If you rewind back a couple years, Cross Site Scripting (XSS) was supposedly all the rage, but people weren't getting nearly as concerned about that vulnerability. In fact, to this day many people don't take XSS seriously. This baffles me to know end because XSS is, at the very least, as exploitable and dangerous as CSRF.
The requirements for a successful XSS exploit requires the following:
1. XSS vulnerability existing on the application (preferably before login).
2. A method to induce the execution of a script (eg. phishing email).
3. An effective script to steal user information.
The requirements for a CSRF exploit are in fact more stringent:
1. A form that is vulnerable to CSRF.
2. A method to induce execution of the request.
3. A successful form submission method.
4. A vulnerable form that provides an attacker with a useful attack vector.
5. Access to the form (since forms often exist after login).
This last 2 requirement is what makes CSRF attacks more challenging. Most useful forms like account transactions, shopping cart checkouts and change password/email forms exist after a user has logged in to an account. So to perform an attack on these types of forms, the attacker must know that the victim is logged into an application. This is a challenging certainty to induce!In fact I think that the only common form outside of a login that is susceptible is a 'forgot password' type form where an attacker could potentially lockout users.
While I do believe that CSRF attacks can be very very harmful, I just think that they are harder to actually exploit and web application owners have to be wary about what the form does and where it is located before declaring that their application is truly vulnerable to CSRF. Secdurity professionals just need to be a little bit more careful before they get caught up in the hype.
- Prashanth Ravishankar
They are both dangerous attacks but you seem to be implying that it is harder because of authentication schemes that protect the forms. In the majority of web applications sending a request to site.com/vulnerable_but_protected_by_login?XSS will first forward the user to a login page before relaying them to the exact page that contained the attack vector upon succesful login, thereby executing the payload.
Posted by: Martin | May 16, 2007 at 04:05 AM
Very interesting article. CSRF is a worrying issue and I've taken precautions
Posted by: Anonymous | December 06, 2008 at 03:40 AM
wow.. very nice info thanks!!!!
Posted by: Cheap Tadalafil | April 30, 2009 at 06:45 PM
i really like this post...
Posted by: buy kamagra | April 30, 2009 at 10:27 PM
This was a double-blind, placebo-controlled, crossover study in 150 male subjects at least 40 years of age and receiving daily doses of 20 mg or matching placebo for 7 days.
Posted by: Buy Sildenafil Citrate Online | May 12, 2009 at 08:33 AM
Secdurity professionals just need to be a little bit more careful before they get caught up in the hype.
Posted by: Online pharmacy | June 17, 2009 at 08:36 AM