The threat from cross-site scripting (XSS) web attacks could get dramatically worse if hackers start combining it with cross-site request forgery (CSRF) attacks, researchers have claimed.
Visitors to this weekend’s Black Hat security conference in Amsterdam will hear Ernst & Young researchers detail how such a synthesis of attack types could be used to greatly increase the effectiveness compared to using the attacks on their own.
Researchers will demonstrate two attack types, the first of which will who how to use an easy-to-infect social networking website as a proxy for an attack on a credit union by hijacking a user’s session. The second will show how the same principle of hijacking a user’s browser can be used to evade conventional database security in a company network, which would exclude any external source from sending database queries.
In both examples, the attack appears to come from the hijacked machine rather than the real source. CSRF is used to execute the veiled attack, with XSS used to get session feedback.
"We're in a stage now where people know about it, but are ignoring it, and that's kind of dangerous," Billy Rios of Ernst & Young told a third-party source. "We will show how when you use the two in combination, you can use the strength of one to overcome the weakness of the other," he said.
While XSS attacks are the bane of web and e-commerce security, CSRF is less well documented, though as powerful the researchers will claim. Such a technique is much harder to do anything about because it depends on hijacking legitimate sessions, something that is inherently hard to detect.
"Any kind of client-side vulnerability that's leveraged by using it in combination with another one expands your [the attacker’s] arsenal,” said Rios.