Know The Difference Between XSS vs CSRF

Know The Difference Between XSS vs CSRF

Cross-site Scripting (XSS) and Cross-site request forgery (CSRF) are very common client-site
attacks against web applications. While XSS execute scripts in the victim’s machine to gain
users privileges the CSRF forge request on the victim’s behalf. It’s safe to say that XSS exploits
the browser trust in a legit website while CSRF takes advantage of the website’s trust on the
user’s browser.

What is a cross-site request?

Cross-site requests are meant to make websites dynamic such that websites can embed content
from other pages. For example, online advertisements use cross-site requests to display images
from Amazon, eBay, or other shopping sites.

How does CSRF work?

CSRF is a type of malicious exploit that forges and sends an HTTP request to a target website
through the user machine. An open session on the target website is needed to perform this attack,
such that the forget request is sent along with the session cookie. The HTTP request can be
trigger using HTML tags or javascript.

Steps to exploit CSRF

• Build a malicious website that is capable of forging HTTP requested
• Make the victim visit the malicious website while having an open session on the target

website
• Use Javascript (Post requests) or HTML tags (Get Request) to trigger the HTML request
• Send an out from the victim’s machine the HTTP request along with the session cookie.
The success or failure of the attack relies on the countermeasures implemented on the target
website. Secret tokens and same-site cookies are among countermeasures used to protect against
CSRF making webservers able to differentiate a request from its page or an entrusted tried-party.

How does XSS work?

XSS is a code injection attack where the goal is to execute a script - Javascript - in the victim’s
browser to obtain user credentials or perform actions on the target website, etc. It is not a straight
forward attack since the web browsers have implemented a sandbox that doesn’t allow
“background interaction” between webpages. The attacker can run scripts from his page, and it
will affect only his website. It will not affect the interaction between user and target web pages,
nor can access to the target website.
There are two ways that the attacker can inject script in the user machine through the target
website. The Persistent XSS Attack stores script on the target website, making it accessible to
everyone who visits the web page. It doesn’t target a specific user. On the other hand, Reflective
XSS attacks take advantage of unsanitized input sending the scripts as part of it. When the server
receives it, it returns (reflect) the script to the victim machine, and the browser executes it.

What are the Differences?

• XSS is more dangerous because it does not need user interaction while CSRF requires an
open session on the target website

• XSS can send requests and receive responses while CSRF can only send HTTP requests.
• XSS execute arbitrary scripts to retrieve data while CSRF performs specified actions

(add, delete, modify).
• XSS exploits unseized inputs / wait for the user to visit a trusted website while CSRF

relies on the user visiting the attacker website
• XSS takes advantage of the victim’s browser trust in a web server
• CSRF exploits the trust of the website in the victim’s browser

XSS and CSRF are common web vulnerabilities that, although discovered long ago, still
represent a threat to website security. Giants of technology such as Facebook, Netflix, and
Twitter have yet found these vulnerabilities in their websites. It’s essential to understand and
implement countermeasures such that the website can recognize untrusted third parties’ requests,
filter, and remove JavaScript from the data provided by users.

For more details, you can visit Allari’s online portal & know more about the csrf and xss
difference: www.allari.com