1. Mysite.com personalizes its site with a reference to a user's name.
This name is stored in a database, and gets retrieved when certain
pages are visited.  The name value isn't validated upon retrieval,
because only users can edit their display names.

Is this high or low risk?

2. Someone at Mysite.com broke the access controls on their database,
which now allows anyone (not just admins) to change the display name
of any other user.  

Is this significant?





3. To mitigate against XSRF, your application checks for an additional
token beyond the session cookie.  Your application still contains some
XSS vulnerabilities though.  Your co-worker claims that the XSS
problems mean your XSRF defenses can be defeated: XSS payloads execute
on-site, so they have two-way interaction with the site, and hence can
grab the session tokens/data to submit in subsequent requests.  Should
you worry about XSRF attacks via the XSS holes?

NOTE: This question was taken from the "Web Application Hacker's
Handbook", page 445.  

ANALYSIS: A slightly paraphrased version of their analysis is as
follows: Not if the problems are reflected XSS.  The initial request in
a reflected XSS attack is cross-site.  If the vulnerable page was
protected against XSRF, the attacker's request must already contain
the required nonce/token in order to succeed.  If it does not, their
XSS payload will not run.  "The issue here is not about whether
injected JavaScript can read any tokens contained in the application's
response (of course it can), but rather about getting the JavaScript
into a response containing those tokens in the first place". [WAHH 445]