XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applicationsJanuary 18, 2012
Author: Marsel Nizamutdinov, Head of Research & Development Department at High-Tech Bridge SA
These days many people do not consider post-authentication vulnerabilities dangerous, such as Stored XSS in the administrator’s portion of a web application.
This situation is probably aggravated by some misinformation websites and some self-proclaimed security experts, which try to deny disclosed vulnerabilities by posing them as a feature implemented by design. The problem is that they simply do not understand the exploitation’s vectors of these vulnerabilities and they consider them as benign, as long as they impact webpages which do not remain available to unauthenticated users.
This article was nominated among "The Best of PenTest Magazine" special 2012 edition.