Cross Site Scripting (XSS)

Posted on October 2, 2008 by Tim of SilentGap

Jeff Atwood had a good post on protecting your site / blog from being hacked.

It turns out I didn’t understand how cross-site request forgery, also known as XSRF or CSRF, works. It’s not complicated, necessarily, but it’s more.. subtle.. than XSS.

Let’s say we allow users to post images on our forum. What if one of our users posted this image?

Not really an image, true, but it will force the target URL to be retrieved by any random user who happens to browse that page — using their browser credentials! From the webserver’s perspective, there is no difference whatsoever between a real user initiated browser request and the above image URL retrieval.

You can read the full post here – http://tinyurl.com/4ne4xs

Tim Schoffelman of SilentGap

This entry was posted in Development, SilentGap, Web and tagged , , , , . Bookmark the permalink.

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>