Cross-Site Scripting - Session Riding (XSS To CSRF)
2024-04-27
The worst thing to see in a penetration testing report is a vulnerability with no impact. I am sure we are all sick of XSS findings where alert(1) is put as the proof of concept. As penetration testers, we need to show the clients and developers the actual business impact of our findings. Session riding is the best proof of concept. It has better impact than stealing cookies and shows how a no/low privileged user can escalate up to administrator privileges in an application.