Hacking CSRF Tokens using CSS History Hack
Cross-site scripting, or XSS, is a well-known cyber security risk that allows malicious users to take control of, and exploit, a user’s system.
Another security risk is Cross-Site Request Forgery (CSRF, or “sea surf”). This risk allows someone to execute functions within a user’s authenticated session, thus the “forgery” portion of the name.
These two risks are formidable and combined they are even more dangerous. As such, to eliminate the risk of someone exploiting your system, you should remove XSS scripting from your code or ensure you are using a XSS filter to weed out malicious code.
Additionally, make use of CSRF tokens to ensure you are securing your identification and authentication information. A properly configured CSRF token will keep your private data just that – private, and not allow a malicious user to forge it.