By John E. Dunn
30 March 2007
The threat from cross-site scripting (XSS) web attacks could get
dramatically worse if hackers start combining it with cross-site request
forgery (CSRF) attacks, researchers have claimed.
Visitors to this weekends Black Hat security conference in Amsterdam
will hear Ernst & Young researchers detail how such a synthesis of
attack types could be used to greatly increase the effectiveness
compared to using the attacks on their own.
Researchers will demonstrate two attack types, the first of which will
who how to use an easy-to-infect social networking website as a proxy
for an attack on a credit union by hijacking a users session. The second
will show how the same principle of hijacking a users browser can be
used to evade conventional database security in a company network, which
would exclude any external source from sending database queries.
In both examples, the attack appears to come from the hijacked machine
rather than the real source. CSRF is used to execute the veiled attack,
with XSS used to get session feedback.
"We're in a stage now where people know about it, but are ignoring it,
and that's kind of dangerous," Billy Rios of Ernst & Young told a
third-party source. "We will show how when you use the two in
combination, you can use the strength of one to overcome the weakness of
the other," he said.
While XSS attacks are the bane of web and e-commerce security, CSRF is
less well documented, though as powerful the researchers will claim.
Such a technique is much harder to do anything about because it depends
on hijacking legitimate sessions, something that is inherently hard to
"Any kind of client-side vulnerability that's leveraged by using it in
combination with another one expands your [the attackers] arsenal, said
Visit the InfoSec News Security Bookstore