Kicking Down The Cross Domain Door (One Xss At A Time) presented at Blackhat Europe 2007

by Raghav Dube,

Tags: Security Web Browser

Summary : Cross Site Request Forgery (XSRF) has been billed as the newest weapon for cross domain web application exploitation. Despite the massive impact of XSRF, the attack remains extremely difficult to complete, as it requires an attacker to blindly strike against external domains, praying their attacks were successful. Now, imagine a new scenario... a scenario where an attacker can instantly see the results of their cross domain attacks. Imagine that an attacker can now steal cookies from a site you haven't been to in a week, brute force username/password combinations for internal network devices, or use your browser to run a Nikto scan against a website you've never visited!