Is there a strong protection against CSRF executed from the sames server via stored XSS?

Question

If we have a domain with stored-XSS vulnerability. I know it's already critical!.. But, I'm talking about limiting the damage.

The hacker can't get the session cookie of the admin, because it's flagged httponly and the server doesn't allow TRACE method.

However the attacker can use CSRF to force the admin to create a user in the application.

Most of CSRF controls will make it only difficult for the hacker but not impossible;

• synchronizer token and viewstate could be easily stolen with ajax requests since they are sent from the same domain.
• Referrer and Origin validation is also not applicable.
• any other multi-step request could be simulated with ajax.
• Double submits are also vulnerable, since the browser send the cookies by default.
• CAPTCHAs are difficult, but theoretically they can be cracked using mechanical turks.

The only control that seems to work is asking the admin's credentials each time a sensitive request is made. But, does creating a user is a sensitive request? Or changing someones password? may be it's a daily task..

Any insights about this topic? can we prevent against CSRF via stored-XSS?

Answer 1

Due to the Same-Origin-Policy(SoP), CSRF and XSS have a kind of rock-paper-scissors relationship. All CSRF prevention methods rely upon the SoP, and XSS in a fundamental bypass of the SoP. In the case of reflected XSS, you need a "cross-site request" in order to deliver the JavaScript payload, so in this cases a CSRF token can make reflective XSS unexploitable.

With XSS you can read any page with an XHR, which can be used to obtain CSRF synchronization tokens. Captchas are not safe either, because they can be solved remotely using XSS (a beef tunnel will do the trick). With XSS you can also obtain passwords with phishing, or trick the user into authorizing actions on the attacker's behalf.

Let me be clear, There is no method of CSRF prevention that can protect against an SoP bypass. A persistent-XSS vulnerability is one of the best SoP bypasses available to the modern attacker.