XSS and CSRF

Just comparison and results …
стосовно:

“XSS vs CSRF – What is more dangerous? There’s been a lot of talk of lately about the ‘new’ Cross Site Request Forgery (CSRF) vulnerabilities that are apparently present in nearly every web application in the world. The fact that big name websites (read: yahoo & google) have this vulnerability make people even more scared.”

The requirements for a successful XSS exploit requires the following:
1. XSS vulnerability existing on the application (preferably before login).
2. A method to induce the execution of a script (eg. phishing email).
3. An effective script to steal user information.

The requirements for a CSRF exploit are in fact more stringent:
1. A form that is vulnerable to CSRF.
2. A method to induce execution of the request.
3. A successful form submission method.
4. A vulnerable form that provides an attacker with a useful attack vector.
5. Access to the form (since forms often exist after login).

More here:

Secure Web: XSS vs CSRF – What is more dangerous? (переглянути на Google Sidewiki)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s