I know about cross-site scripting and cross-site request forgery. I want to know if there is any similarity between them?
-
1A [quora answer](http://qr.ae/TUhTnM) to a very similar question. – Oren Milman Oct 27 '18 at 07:11
-
2I think that user13695 is arrogant and patronizing here. There are sensible differences between the two class of attacks. While the below answer points out the similitudes there are differences in the way the attacker injects scripts and disguises them – MiniMe Feb 27 '21 at 01:07
1 Answers
In a cross-site request forgery attack, the attacker tries to force/trick you into making a request which you did not intend. This could be sending you a link that makes you involuntarily change your password. A malicious link could look like that:
https://security.stackexchange.com/account?new_password=abc123
In a cross-site scripting attack, the attacker makes you involuntarily execute client-side code, most likely Javascript. A typical reflected XSS attacking attempt could look like this:
https://security.stackexchange.com/search?q="><script>alert(document.cookie)</script>
Both attacks have in common that they are client-side attacks and need some form of user activity (e.g. clicking a link or visiting a website). Unlike RFI or SQLi vulnerabilities, you're attacking a user rather than the server. XSS is generally more powerful than CSRF because it usually allows the execution of arbitrary script code while CSRF is restricted to a particular action (e.g. changing the password). As @Lukas points out, a successful XSS attack also effectively bypasses all anti-CSRF measures.
- 43,922
- 13
- 140
- 136
-
5Good answer! I'd like to add that each most XSS vulnerabilities could also be used to exploit CSRF vulnerabilities. – Lukas Oct 06 '16 at 20:30
-
2Would it be right to say, CSRF sends an illegitimate request to perform some operation on the server and XSS sends an illegitimate request so that the response runs client side attack code? – ProgramCpp Jun 06 '17 at 07:04
-
2@ProgramCpp Kind of. XSS is not necessarily about sending a single "illegitimate" request. E.g., with a persistent XSS vulnerability, the attacker could also prepare an attack independent from the victim. But yes, CSRF is about performing an operation, XSS is about running client-side attack code. – Arminius Jun 06 '17 at 08:39
-
For more information about "a successful XSS attack also effectively bypasses all anti-CSRF measures", I think that this is a good resource: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Warning:_No_Cross-Site_Scripting_.28XSS.29_Vulnerabilities – Oren Milman Feb 05 '19 at 11:20