* Ashley <[EMAIL PROTECTED]> [2008-09-30 19:30]: > If scripting is involved that makes it a XSS attack instead, > though. No?
No. XSS means injecting attacker-controlled HTML into a page. That’s usually used to inject Javascript, but doesn’t have to; just HTML could work just as well. The attack takes place when the victim visits a page on the vulnerable site and can cause anything to happen, including sending sensitive information from that page to third parties. CSRF means getting the victim’s browser to send a request to the vulnerable site. It makes use of what’s sometimes referred to as “ambient authentication,” ie. the victim is already logged into the vulnerable site, eg. with a remember-me-forever cookie, which the CSRF attack relies on to trigger actions that require authentication. The attack can take place anywhere on the web at all (you just have to get the victim to visit a site you control) but can only trigger functions of the vulnerable site. There is some overlap in what you can achieve with the two routes of attack, but the overall risk profiles are different. The main thing to keep in mind is that CSRF holes are much easier to exploit, by virtue of the fact that attacks can be initiated from any page on the web. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/> _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
