nav #navigation ul.menu li:hover .dropmenu {display:block;} .head-menu nav .sub-menu-wrapper { top: 28px; } .head-menu nav .menu-item:hover .sub-menu-wrapper { display: block; }

State of Cybersecurity at Top 100 Global Airports

January 29, 2020

AI: Is the Hype Over or Is it Just the Solow Paradox?

January 17, 2020

5 Common Web Security Mistakes That Cost Millions

November 14, 2019

State of Stolen Credentials in the Dark Web from Fortune 500 Companies

October 30, 2019

4 Reasons Why Your Company Should Use IT Security Software

October 24, 2019

News and press releases

ImmuniWeb to Partner with Appdome in Mobile Application Security

February 13, 2020

PwC Switzerland and ImmuniWeb Are Joining Forces to Facilitate SMEs' Access to Cybersecurity

January 28, 2020

ImmuniWeb Announces a Partnership with E-SPIN Group

January 22, 2020

5 New Features on ImmuniWeb Customer Portal

January 16, 2020

ImmuniWeb Receives the Elite “Hall of Fame” Status in SC Media’s Reboot 19 Innovator Award

January 7, 2020

OWASP Top 10

OWASP’s #1 Web Application Risk - the Threat of and Solution to Web Application Injection Attacks

June 14, 2018

OWASP’s #2 Web Application Risk – the Threat of and Solution to Broken Authentication

June 21, 2018

OWASP’s #3 Web Application Risk – the Threat of and Solution to Sensitive Data Exposure

June 28, 2018

XML External Entities (XXE): the Threat of and Solution

July 5, 2018

OWASP Top 10: Broken Access Control, the risks and solutions

July 12, 2018

Security Misconfiguration, a conscious element of OWASP Top 10, the risks and solutions

July 19, 2018

XSS, a notable OWASP Top 10 old-timer, still brings up to $7,500 to researchers

July 26, 2018

Insecure Deserialization: OWASP Top 10 element of arduous exploitation but leading to system takeover

August 2, 2018

Components with Known Vulnerabilities - a major OWASP Top 10 Risk

August 21, 2018

Last but not least: OWASP Top Ten #10 - Insufficient Logging and Monitoring

August 14, 2018

Search Blog

#infosec #OWASP
#Risk Management #microservices
#Application Security #Cybersecurity #AI #DevSecOps

ImmuniWeb > Security Blog

XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications

2.5k
155
19
5
11
More
15
13
13

Wednesday, January 18, 2012 By Marsel Nizamutdinov Read Time: 4 min.

These days many people do not consider post-authentication vulnerabilities dangerous, such as Stored XSS in the administrator’s portion of a web application.

Author: Marsel Nizamutdinov, Head of Research & Development Department at High-Tech Bridge SA

These days many people do not consider post-authentication vulnerabilities dangerous, such as Stored XSS in the administrator’s portion of a web application.

This situation is probably aggravated by some misinformation websites and some self-proclaimed security experts, which try to deny disclosed vulnerabilities by posing them as a feature implemented by design. The problem is that they simply do not understand the exploitation’s vectors of these vulnerabilities and they consider them as benign, as long as they impact webpages which do not remain available to unauthenticated users.

XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications

PDF: XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications (732 kB)

This article was nominated among "The Best of PenTest Magazine" special 2012 edition.

Tags: CSRF XSS exploitation web applications

Previous Blog Posts:

Cybercrime in nowadays businesses: A real case study of targeted attack

Spying Internet Explorer 8.0

2.5k
155
19
5
11
More
15
13
13

User Comments