Hacking CSRF Tokens using CSS History Hack

Cross-site scripting, or XSS, is a well-known cybersecurity risk that allows malicious users to take control of, and exploit a user’s system.

Another security risk is Cross-Site Request Forgery (CSRF, or “sea surf”).  This risk allows someone to execute functions within a user’s authenticated session, thus the “forgery” portion of the name.

These two risks are formidable and combined they are even more dangerous.  As such, to eliminate the risk of someone exploiting your system, you should remove XSS scripting from your code or ensure you are using a XSS filter to weed out malicious code.

Additionally, make use of CSRF tokens to ensure you are securing your identification and authentication information.  A properly configured CSRF token will keep your private data just that – private, and not allow a malicious user to forge it.

Although the dangers of XSS are well known, combining an XSS exploit with CSRF is not as commonly understood.  These risks are a good reminder to cyber security professionals to consider all exploits, not just the most commonly knows vulnerabilities like JavaScript or Flash Player.

Leave a Comment