Drawing the contrast between XSS and CSRF attacks

• Cross-site scripting (XSS) and cross-site request forgery (CSRF) are common attacks on websites.
• XSS involves the attacker executing code on the victim’s site, while CSRF involves the attacker making a request on behalf of the authenticated user.

Both of these are client-side attacks that attackers carry out. Let’s first understand what each of these is, before diving into the differences.

What is XSS?

In a cross-scripting attack (XSS), the attacker can execute malicious code in the victim’s browser. This code is usually injected by the attacker when the victim browses a trusted site. There are three types of XSS — Stored XSS, Reflected XSS, and DOM-based XSS.

An attacker who exploits XSS will be able to harvest credentials, redirect victims to phishing pages, and hijack a user session using cookies.

XSS attacks are quite popular and victims include Twitter, eBay, and Yahoo.

What is CSRF?

In a Cross-site request forgery (CSRF), the attacker sends a request to the browser that seems like it was made by the user.

To do this, the victim is first tricked into clicking a link. This is followed by sending a seemingly legitimate request to the website. This request with cookies the victim has associated with the website. A CSRF attack can work only when the victim is logged in to an account.

CSRF vulnerabilities have been discovered in many applications including McAfee and INGDirect.

Understanding the difference

The primary difference is that a CSRF attack requires an authenticated session, whereas an XSS attack doesn’t.

• XSS is believed to be more dangerous because it doesn’t require any user interaction.
• CSRF is restricted to the actions the victim can perform. On the other hand, XSS works on the execution of malicious script broadening the scope of actions the attacker can perform.
• XSS requires a vulnerability to happen, whereas CSRF relies on tricking the user to click a link or access a page.
• Another major difference is that CSRF works only one way, that is it can only send an HTTP request but cannot view the response. XSS can send and receive HTTP requests and responses to extract the required data.

Staying safe

Because CSRF involves attackers using user’s session cookies as HTTP parameters to send a request, the prevention mechanism involves adding an additional random parameter.

• This parameter is validated by the server before providing the response. A popular way to do this is to use CSRF tokens. These are randomly generated, unique values that the server sends to the client via an HTTP request.
• Another way to do this is by using same-site Cookie attributes. A same-site Cookie is sent only when the request comes from the same origin that is related to the Cookie. When another site tries to send a request, the same-site Cookie is not sent thus offering protection against CSRF.

Certain XSS attacks can be contained by CSRF prevention mechanisms, but a considerable part of them cannot. Also, many XSS vulnerabilities can override anti-CSRF mechanisms to access data related to session cookies. XSS attacks can be prevented by validating input, sanitizing data, and escaping data.