1

Let's say there is an XSS vulnerability in an application, and the application is not using any kind of CSRF token, just using the referer header to protect against CSRF. Referer header is validating properly. So in this case can we bypass the referer header to perform the CSRF? If yes, then how?

Because OWASP always recommends token to prevent CSRF...

Anders
  • 64,406
  • 24
  • 178
  • 215
ZeroNullByte
  • 69
  • 7
  • 1
    If you have an XSS vulnerability, you don't need CSRF at all. CSRF allows you to send HTTP requests as the user. If you have a XSS vulnerability, you can do all of that and more. –  Jan 24 '20 at 12:13

1 Answers1

3

If there is an XSS vulnerability, the attacker has won. If you can execute arbitrary JavaScript on the victims machine in the target origin, you can do whatever you want - you don't need to bypass any CSRF protection to wreak havoc.

Also, no CSRF protections survive an XSS vulnerability. A referer header check does not help, since the attacker can just send the requests with the injected script, so they will have the right referer. A CSRF token doesn't help either, since it can easily be exfiltrated.

In short, XSS > CSRF.

Anders
  • 64,406
  • 24
  • 178
  • 215