Ernst & Young researchers will share some detail on how such a synthesis of attack types could be used to greatly increase the effectiveness compared to using the attacks on their own at Black Hat security conference in Amsterdam. They will shou us that the threat from cross-site scripting (XSS) web attacks could get dramatically worse if hackers start combining it with cross-site request forgery (CSRF) attacks.

    The researchers will demonstrate two attack modes, the first of which will who how to use an easy-to-infect social networking page as a proxy for an attack on a credit union by hijacking a user’s session. The second will show how the same principle of hijacking a user’s browser can be used to evade conventional database security in a company network, which would exclude any external source from sending database queries. In these examples, the attack appears to come from the hijacked machine rather than the real source. CSRF is used to execute the veiled attack, with XSS used to get session feedback.

    Billy Rios of Ernst & Young, stated: "We're in a stage now where people know about it, but are ignoring it, and that's kind of dangerous. "We will show how when you use the two in combination, you can use the strength of one to overcome the weakness of the other. Any kind of client-side vulnerability that's leveraged by using it in combination with another one expands your [the attacker’s] arsenal."

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

Cross-site request forgery (CSRF), also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts. Compared to XSS, CSRF attacks are not well understood by many web developers and few defense resources are available.

    While XSS attacks are the bane of web and e-commerce security, CSRF is less well documented, though as powerful the researchers will claim. Such a technique is much harder to do anything about because it depends on hijacking legitimate sessions, something that is inherently hard to detect.