XSS Vs CSRF Attacks — What Are The Differences?

What are XSS and CSRF?

What is XSS?

  • Disclosure of user files
  • Malware/Trojan Horse installation
  • Exposure to online banking information
  • HTML/DOM content modification
  • Redirecting users to unknown websites

What is CSRF?

Differences between CSRF VS XSS

  • XSS attacks follow a two-way attack pattern, which allows the attacker to execute a malicious script, access the response, and send follow-up sensitive data to a destination of the attacker’s choice. On the other hand, CSRF is a one-way attack mechanism, implying the attacker can only initiate the HTTP request but not retrieve the response in return for the initiated request.
  • CSRF attacks require the authenticated user to be in an active session, while the XSS attack does not. In an XSS attack, payloads can be stored and delivered whenever the user logs in.
  • CSRF attacks have a limited scope that is restricted to the actions user can perform, such as clicking a malicious link or visiting the hacker’s website. On the contrary, an XSS attack offers the execution of malicious scripts to perform any activity as per the attacker’s choice, thus widening the scope of the attack.
  • In XSS attacks, the malicious code is stored within the site, whereas in CSRF attacks, the malicious code is stored within third-party sites that the victim user is made to access.

XSS Example

<html> 
<body>
<? php
print “Not found: ” .
urldecode($_SERVER[“REQUEST_URI”]);
?>
</body>
</html>
http://darwin.test/non_existent_file
Not found: /non_existent_file
http://darwin.test/<script>bad_payload_script</script>
Not found: /<script>bad_payload_script;</script>

CSRF Example

GET http://darwin.com/transfer.do?
acct=BOB&amp;amount=100 HTTP/1.1
http://darwin.com/transfer.do?
acct=MARIA&amp;amount=50000
<img src="http://darwin.com/transfer.do?
acct=MARIA&amp;amount=50000" width="0" height="0"
border="0">

XSS and CSRF — FAQs

What is the difference between cross-site scripting and Javascript injection?

What are some effective CSRF prevention mechanisms?

  • Using a synchronizer token pattern
  • Using double-submit cookies
  • Using HTTP standard headers to validate the origin of requests
  • UI-based verification such as CAPTCHA-based authorization and MFA
  • Using SameSite Cookies for request origin management
  • Use of CSRF tokens

What are some effective XSS prevention mechanisms?

  • Enforcing Content Security Policies
  • Validating and filtering user input
  • Encoding output data
  • Using custom response headers (Content-Type & X-Content-Type-Options) to govern browser response interpretation
  • Sanitizing HTML inputs

Can CSRF tokens prevent XSS?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store