Cross-site Scripting (XSS) and Cross-site request forgery (CSRF) are very common client-site attacks against web applications. While XSS execute scripts in the victim’s machine to gain users privileges the CSRF forge request on the victim’s behalf. It’s safe to say that XSS exploits the browser trust in a legit website while CSRF takes advantage of the website’s trust on the user’s browser.
What is a cross-site request?
Cross-site requests are meant to make websites dynamic such that websites can embed content from other pages. For example, online advertisements use cross-site requests to display images from Amazon, eBay, or other shopping sites.
How does CSRF work?
CSRF is a type of malicious exploit that forges and sends an HTTP request to a target website through the user machine. An open session on the target website is needed to perform this attack, such that the forget request is sent along with the session cookie. The HTTP request can be trigger using HTML tags or javascript.
Steps to exploit CSRF
- Build a malicious website that is capable of forging HTTP requested
- Make the victim visit the malicious website while having an open session on the target website
- Use Javascript (Post requests) or HTML tags (Get Request) to trigger the HTML request
- Send an out from the victim’s machine the HTTP request along with the session cookie.
The success or failure of the attack relies on the countermeasures implemented on the target website. Secret tokens and same-site cookies are among countermeasures used to protect against CSRF making webservers able to differentiate a request from its page or an entrusted tried-party.
How does XSS work?
XSS is a code injection attack where the goal is to execute a script – Javascript – in the victim’s browser to obtain user credentials or perform actions on the target website, etc. It is not a straight forward attack since the web browsers have implemented a sandbox that doesn’t allow “background interaction” between webpages. The attacker can run scripts from his page, and it will affect only his website. It will not affect the interaction between user and target web pages, nor can access to the target website.
There are two ways that the attacker can inject script in the user machine through the target website. The Persistent XSS Attack stores script on the target website, making it accessible to everyone who visits the web page. It doesn’t target a specific user. On the other hand, Reflective XSS attacks take advantage of unsanitized input sending the scripts as part of it. When the server receives it, it returns (reflect) the script to the victim machine, and the browser executes it.
What are the Differences?
- XSS is more dangerous because it does not need user interaction while CSRF requires an open session on the target website
- XSS can send requests and receive responses while CSRF can only send HTTP requests.
- XSS execute arbitrary scripts to retrieve data while CSRF performs specified actions (add, delete, modify).
- XSS exploits unseized inputs / wait for the user to visit a trusted website while CSRF relies on the user visiting the attacker website
- XSS takes advantage of the victim’s browser trust in a web server
- CSRF exploits the trust of the website in the victim’s browser
XSS and CSRF are common web vulnerabilities that, although discovered long ago, still represent a threat to website security. Giants of technology such as Facebook, Netflix, and Twitter have yet found these vulnerabilities in their websites. It’s essential to understand and implement countermeasures such that the website can recognize untrusted third parties’ requests, filter, and remove JavaScript from the data provided by users.
For more details, you can visit Allari’s online portal & know more about the csrf and xss difference: www.allari.com
