nav #navigation ul.menu li:hover .dropmenu {display:block;} .head-menu nav .sub-menu-wrapper { top: 28px; } .head-menu nav .menu-item:hover .sub-menu-wrapper { display: block; }

6 Terms on Machine Learning You May Have Heard of

August 1, 2019

State of Application Security at S&P Global World's 100 Largest Banks

July 10, 2019

The Age of the Supply Chain Attack

June 11, 2019

What We Learned from Infosecurity Europe 2019: GDPR, Budgets, and People Problems

June 6, 2019

Has GDPR Been Kind to You So Far?

May 28, 2019

News and press releases

ImmuniWeb® AI Introduces Rapid Testing and Report Delivery SLA for CI/CD

June 26, 2019

ImmuniWeb® Portal now offers 2FA OTP support

June 19, 2019

ImmuniWeb launches free website security and GDPR compliance test

May 29, 2019

ImmuniWeb named a Key Player on the AI in Cybersecurity Global Market

May 13, 2019

ImmuniWeb Launches Partner Portal

May 1, 2019

OWASP Top 10

OWASP’s #1 Web Application Risk - the Threat of and Solution to Web Application Injection Attacks

June 14, 2018

OWASP’s #2 Web Application Risk – the Threat of and Solution to Broken Authentication

June 21, 2018

OWASP’s #3 Web Application Risk – the Threat of and Solution to Sensitive Data Exposure

June 28, 2018

XML External Entities (XXE): the Threat of and Solution

July 5, 2018

OWASP Top 10: Broken Access Control, the risks and solutions

July 12, 2018

Security Misconfiguration, a conscious element of OWASP Top 10, the risks and solutions

July 19, 2018

XSS, a notable OWASP Top 10 old-timer, still brings up to $7,500 to researchers

July 26, 2018

Insecure Deserialization: OWASP Top 10 element of arduous exploitation but leading to system takeover

August 2, 2018

Components with Known Vulnerabilities - a major OWASP Top 10 Risk

August 21, 2018

Last but not least: OWASP Top Ten #10 - Insufficient Logging and Monitoring

August 14, 2018

Search Blog

#infosec #OWASP
#Risk Management #microservices
#Application Security #Cybersecurity #AI #DevSecOps

ImmuniWeb > Security Blog

XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications

2.1k
155
19
5
11
More
15
13
13

Wednesday, January 18, 2012 By Marsel Nizamutdinov Read Time: 4 min.

These days many people do not consider post-authentication vulnerabilities dangerous, such as Stored XSS in the administrator’s portion of a web application.

Author: Marsel Nizamutdinov, Head of Research & Development Department at High-Tech Bridge SA

These days many people do not consider post-authentication vulnerabilities dangerous, such as Stored XSS in the administrator’s portion of a web application.

This situation is probably aggravated by some misinformation websites and some self-proclaimed security experts, which try to deny disclosed vulnerabilities by posing them as a feature implemented by design. The problem is that they simply do not understand the exploitation’s vectors of these vulnerabilities and they consider them as benign, as long as they impact webpages which do not remain available to unauthenticated users.

XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications

PDF: XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications (732 kB)

This article was nominated among "The Best of PenTest Magazine" special 2012 edition.

Tags: CSRF XSS exploitation web applications

Previous Blog Posts:

Cybercrime in nowadays businesses: A real case study of targeted attack

Spying Internet Explorer 8.0

2.1k
155
19
5
11
More
15
13
13

User Comments

Quick Start