CSRF protection also fixes reflected XSS

Submitted by alla on Fri, 09/24/2010 - 09:08

An application I have recently tested had cross-site request forgery protection implemented throughout - every single form or link with parameters had an additional parameter with a value derived from the session id. When the form is submitted or the link is clicked, before any other processing, this parameter value is checked.

And guess what - that also makes all reflected cross-site scripting bugs not exploitable. How?

To exploit reflected XSS the attacker needs to get the user to submit a request to the application that will result in application echoing back the JavaScript code passed by the attacker in one of the request parameters. But, to craft that request the attacker needs to supply a valid anti-CSRF parameter value, which he can not know. If the anti-CSRF parameter is not there, or the value is not right, the user gets an error, not the normal page, that should have contained the attacker's code. So, XSS exploit fails.


+32 (0) 2 215 53 58

Gremwell BVBA
Sint-Katherinastraat 24
1742 Ternat
VAT: BE 0821.897.133.