Home
Certification Preparation
CompTIA
Security+
XSS Attacks
coldbug
Trying to completely understand the differences. I got the Stored Attack right, but can you guys help me if I got the others right.
Stored Attack = malicious script injection into website's forums, databases and other data. (user is not required to click the link for code to be activated. Once the user visits the page, it automatically activates the script.
Reflected Attack = everything above but difference is user must click on the link for script to activate.
CSRF (XSRF)/Sea Surf/Session Riding = tricking the user to execute unwanted action on an application user is logged in.
I can't distinguish the last two.
Find more posts tagged with
Comments
p@r0tuXus
via Wikipedia:
"Cross-site request forgery
... is a type of malicious
exploit
of a
website
where unauthorized commands are transmitted from a
user
that the website trusts.
[2]
Unlike
cross-site scripting
(XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser."
Nik 99
If I've got this right XSRF isn't about tricking the user at all. What happens is that they perform actions they are utterly unaware of. So purchases from a site where they were just browsing without actually buying anything themselves I guess. Do correct me if I'm wrong, this is my interpretation of how this attack is supposed to play out.
Dunno about the others, they didn't come up in Darriel Gibson's book I think? Though they probably appear in the techexams Sec+ tech notes.
Edit:ah, got beaten to it =P
paul78
XSS and CSRF are different types of vulnerabilities.
The best way IMO to think about the 2 differences are how the trust between the browser and webapp are exploited.
XSS - trust by the browser of the webapp is exploited.
CRSF - trust by the webapp of the browser is exploited.
There are 3 main types of XSS vulnerabilities:
persistent - sometimes called stored
reflected
dom-based
Instead of regurgitating the description - my favorite explanation can be found here -
https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting
If you are familiar with basic javascript - a better explanation here -
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_****_Sheet
For CSRF - OWASP also has a great explanation here -
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
