This morning I knocked up some proof of concept code to illustrate the retrieval of one-time authentication tokens. The situation in which this is handy is when a site follows best practices and implements a one-time authentication token, but is vulnerable to a XSS attack. A one-time authentication token is a hidden value implanted into either a link or form. For example, Digg's one-time token looks like this:
{% highlight html %} digg it {% endhighlight %}So, performing the actions in the "dig" function without the correct token (which is issued on a per-session basis) has no effect and will probably trigger a security alert. However, imagine if Digg was found to be vulnerable to a XSS hole - it would be possible to read the token by submitting an AJAX request and then parsing the response. Here is a snippet from the code that does just that:
{% highlight html %} var match = regexMatch('javascript:dig\(\d,\d+,([^]+)',response); {% endhighlight %}This example is not particularly sophisticated, but it illustrates that XSS attacks are NOT protected against by implementing one time-tokens and that CSRF attacks are still entirely possible if a XSS hole is found in the site, tokens or not.