What is the difference between XSS and CSRF from their execution perspective?

What is the difference between XSS and CSRF from their execution perspective?

https://www.quora.com/What-is-the-difference-between-XSS-and-CSRF-from-their-execution-perspective/answer/Deepthi-210

Fundamental difference is that CSRF (Cross-site Request forgery) happens in authenticated sessions when the server trusts the user/browser,

while XSS (Cross-Site scripting) doesn't need an authenticated session and can be exploited when the vulnerable website doesn't do the basics of validating or escaping input.

 

In case of XSS, when the server doesn't validate or escapes input as a primary control, an attacker can send inputs via request parameters or any kind of client side input fields (which can be cookies, form fields or url params).These can be written back to screen , persisted in database or executed remotely.

For CSRF, consider an example when you are logged in into your banking site and at the same time logged into Facebook in another tab in same browser.

An attacker can place a malicious link embedded in another link or zero byte image which can be like your banksite.com/transfer.do?fromaccnt=youraccnt&toaccnt=attackersAccount&amt=2500.

Now, if you accidentally click on this link , in the background transfer can happen though you clicked from the Facebook tab.

 

This is because your session is still active in browser and browser has your session id.

This is the reason the most popular CSRF protection is having another server supplied unique token generated and appended in the request.

This unique token is not something which is known to browser like session id.

This additional validation at server (i.e whether the transfer request also contains the correct CSRF token) will make sure that the attacker manipulated link (I.e the CSRF attack) in above example will never work.

https://www.quora.com/What-is-the-difference-between-XSS-and-CSRF-from-their-execution-perspective/answer/Yash-Pandya-4

csrf is all about checking auth_tockens used in from , in csrf attck you can create spoof html form and force other victim to do things according to your need while xss is all about javascript execution . you can read more about both on owasp.org

https://www.quora.com/What-is-the-difference-between-XSS-and-CSRF-from-their-execution-perspective/answer/Gaurav-Sharma-2819

The fundamental difference between CSRF and XSS is that

cross-site scripting (XSS), is designed to exploit the trust the user has for a particular site

whilst

CSRF aims to exploit the trust that a website has in the visitor’s browser.

Difference between XSS and CSRF attacks

How does a CSRF attack work?

In a CSRF attack, a malicious web site tells the victim’s web browser to send a malicious request to an honest site, as if the request were part of the victim’s interaction with the honest web site, making use of the existing victim’s context, such as cookies.

So let’s say you are logged in into Facebook. That implies that your web browser obtained the session i.e. the cookie to access your Facebook account. Every time you interact with Facebook, their server checks the cookie you send with the request so they know it’s you.

Let’s assume that when clicking the logout button of Facebook, a GET request is made to the following URL: https://facebook.com/logout. Now you visit the website of the attacker which contains the following HTML-snippet:

<img src="https://facebook.com/logout">

This will cause your browser to load the image-URL of the img tag, which comes down to a GET request to https://facebook.com/logout. Your browser will automatically send your session together with the GET-request to Facebook.

That means that the attacker was able log you out. He made a valid request with your user context without you even knowing.

 

Depending on the vulnerable web site, using CSRF, attackers can change your credentials or user profile properties.

Even Gmail was vulnerable to CSRF as a story from 2007 shows. An attacker was able to get a victim on a malicious website that then send a request to Gmail and changed the victim’s Gmail filter properties.

Like this, the attacker was able to redirect the victim’s emails to his own email account.

 

Another common attack is to use CSRF to trigger a login initiated by the victim but with the attacker’s credentials.

Imagine you are on a malicious web site with a HTML-form. When clicking submit, the form makes a POST request to Google with the attackers credentials that are written into the HTML-form. Now the attacker is logged in on Google in the victim’s browser.

Google will document all visited web sites and browser history which the attacker can get access to later on.

 

So, both attacks have in common that they are client-side attacks and need some action of the end user, such as clicking on a link or visiting a web site.

XSS executes a malicious script in your browser, CSRF sends a malicious request on your behalf.

--