ImmuniWeb® by High-Tech Bridge


High-Tech Bridge Newsletter

Subscribe to our newsletter and receive some or all of our corporate news, invitations to security events or HTB Security Advisories – you choose what you want to receive.

XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications

January 18, 2012

Author: Marsel Nizamutdinov, Head of Research & Development Department at High-Tech Bridge SA


These days many people do not consider post-authentication vulnerabilities dangerous, such as Stored XSS in the administrator’s portion of a web application.

This situation is probably aggravated by some misinformation websites and some self-proclaimed security experts, which try to deny disclosed vulnerabilities by posing them as a feature implemented by design. The problem is that they simply do not understand the exploitation’s vectors of these vulnerabilities and they consider them as benign, as long as they impact webpages which do not remain available to unauthenticated users.


PDF: XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications (732 kB)

This article was nominated among "The Best of PenTest Magazine" special 2012 edition.