The key difference between XSS and CSRF is that, in XSS (or Cross Site Scripting), the site accepts the malicious code while, in CSRF (or Cross Site Request Forgery), the malicious code is stored in the third party sites. The XSS is a type of computer security vulnerability in web applications that enables attackers to inject client-side scripts into web pages viewed by other users. On the other hand, CSRF is a type of malicious activity of a hacker or a website that transmits unauthorized commands that the user’s web application will trust.
Web development is the process of programming a website according to the client requirements. Every organization maintains websites. These websites help to improve the business and to gain profit. At the same time, there can be threats that affect the functionality of the website. Two of them are XSS and CSRF.
CONTENTS
1. Overview and Key Difference
2. What is XSS
3. What is CSRF
4. Side by Side Comparison – XSS vs CSRF in Tabular Form
5. Summary
What is XSS?
XSS is a code injection attack that injects malicious code into the website. It is one of the most common web site attacks. It can affect the website and can also affect the users of that website. In other words, when there is an XSS attack on the website, that code will execute in the users of that website by the browser.
Figure 01: XSS Attack
One common language to write malicious code for XSS is JavaScript. XSS can steal user’s cookies. It can modify the webpage to look and behave differently. Furthermore, it can display malware downloads and change user’s settings.
There are two types of XSS attacks. They are called persistent and non-persistent. In persistent XSS attack, the malicious code is stored in the website database. The user might access it without any knowledge. The non-persistent XSS attack is also called Reflected XSS. It sends the malicious script as an HTTP request. Those are the main two types in XSS.
What is CSRF?
In a website, there is a client side and the server side. The web pages, forms are on the client side. The server side performs an action when the user acts. Server side gets requests from other websites too.
CSRF attack tricks the user to interact with a page or a script on a third party site. It will generate a malicious request to the user’s site. But the server assumes that it is a request from an authorized website. When the user accepts it, an attacker can take the control over using the data sent in the request.
One example is as follows. A user logs in to his bank account. The bank provides him with a session token. A hacker can trick the user to click on a fake link that points to the bank. When the user clicks the link, it uses the previous session token. Then, the hacker’s request executes, and the user account is hacked. He can transfer money from his account. The request to the bank is forged as it uses the same session token of the user. Overall, it is important to know how to protect the website from CSRF attack in web development.
What is the Difference Between XSS and CSRF?
XSS stands for Cross Site Scripting, and CSRF stands for Cross Site Request Forgery. XSS is a type of computer security vulnerability in web applications that enables attackers to inject client-side scripts into web pages viewed by other users. CSRF is a type of malicious activity of a hacker or a website which transmits unauthorised commands that the user’s web application will trust. Also, XSS requires JavaScript to write the malicious code while the CSRF does not require JavaScript.
Furthermore, in XSS, the site accepts the malicious code while in CSRF, the malicious code is stored in the third party sites. This is the main difference between XSS and CSRF. Usually, a site that is vulnerable to XSS attack is also vulnerable to the CSRF attack. However, a site that has protection from XSS still can be vulnerable to CSRF attacks.
Summary – XSS vs CSRF
XSS and CSRF are two types of attacks to a website. XSS stands for Cross Site Scripting while CSRF stands for Cross Site Request Forgery. The difference between XSS and CSRF is that, in XSS, the site accepts the malicious code while, in CSRF, the malicious code is stored in the third party sites.
Reference:
1.DrapsTV. XSS Tutorial #2 – Non Persistent Scripts (Reflected XSS), DrapsTV, 23 Jan. 2015. Available here
2.What Is CSRF?, Hacksplaining, 4 Mar. 2017. Available here
3.DrapsTV. XSS Tutorial #3 – Persistent Scripts, DrapsTV, 26 Jan. 2015. Available here
4.DrapsTV. XSS Tutorial #1 – What Is Cross Site Scripting?, DrapsTV, 22 Jan. 2015. Available here
Image Courtesy:
1.’26393980275′ b Christiaan Colen (CC BY-SA 2.0) via Flickr