On Fri, 11 May 2007, Tim Newsham wrote: >> 1.4.8-4 is vulnerable to a XSS vulnerability, so an attacker could use the >> XSS vector to grab the session token ("CSRF token") and continue the CSRF >> attack. > > This might just be semantics: I wouldn't consider the XSS attack to be a > CSRF attack. The point is, if the application is vulnerable to an XSS vulnerability then having a CSRF token wont protect you from a CSRF attack. The attacker could use the XSS vector to steal the CSRF token, much like the Samy worm worked. >The XSS script runs in the same context that the user or any > legitimate script running on behalf of the user runs. When it makes a > reference, it has access to things like the CSRF token. Exactly, thus the CSRF token wont be much help in protection you from a CSRF attack, if the attacker can just parse out that token and use it in CSRF attack. -- - Josh