On Wed, May 11, 2016 at 7:16 PM, Niklas Keller <m...@kelunik.com> wrote:
> > 2016-05-11 17:41 GMT+02:00 Andrey Andreev <n...@devilix.net>: > >> >> Your login form too needs CSRF protection. It's a chicken and egg problem. >> > > Not really. As long as you don't have the credentials. > You can't make any requests as the authenticated user, as there is no > authenticated user. > > Riding an authenticated user's session is the obvious, and indeed most serious CSRF attack, but not the only one ... An attacker-chosen account could be leveraged for phishing, and depending on the functionality of the website - possibly also XSS, malicious software distribution, who knows what else. Cheers, Andrey.
