1. Mysite.com personalizes its site with a reference to a user's name. This name is stored in a database, and gets retrieved when certain pages are visited. The name value isn't validated upon retrieval, because only users can edit their display names. Is this high or low risk? 2. Someone at Mysite.com broke the access controls on their database, which now allows anyone (not just admins) to change the display name of any other user. Is this significant? 3. To mitigate against XSRF, your application checks for an additional token beyond the session cookie. Your application still contains some XSS vulnerabilities though. Your co-worker claims that the XSS problems mean your XSRF defenses can be defeated: XSS payloads execute on-site, so they have two-way interaction with the site, and hence can grab the session tokens/data to submit in subsequent requests. Should you worry about XSRF attacks via the XSS holes? NOTE: This question was taken from the "Web Application Hacker's Handbook", page 445. ANALYSIS: A slightly paraphrased version of their analysis is as follows: Not if the problems are reflected XSS. The initial request in a reflected XSS attack is cross-site. If the vulnerable page was protected against XSRF, the attacker's request must already contain the required nonce/token in order to succeed. If it does not, their XSS payload will not run. "The issue here is not about whether injected JavaScript can read any tokens contained in the application's response (of course it can), but rather about getting the JavaScript into a response containing those tokens in the first place". [WAHH 445]