CSS vs CSRF
teancum144
Member Posts: 229 ■■■□□□□□□□
in Security+
I've been a little confused about the difference between cross-site scripting (CSS) and cross-site request forgery (CSRF). After some research, I've come up with the following summaries:
- CSS: This attack exploits the trust a user has for a particular website or email. An attacker compromises a website (or crafts an email) with a link that includes malicious code (e.g. HTML code, JavaScript, etc.). When a user selects the link, the malicious code runs on the user’s system, resulting in harm such as the following:
- Opens other webpages, pop-ups, etc.
- Read passwords from web-browser cache
- Steal sensitive data from users’ cookies
- CSRF: This attack exploits the trust a website has for a user’s browser. An attacker compromises a website (or creates an email) with a link that includes malicious code (e.g. HTML code, JavaScript, etc.). When a user selects the link, the malicious code accesses a third-party website (e.g. the user’s bank) that trusts the user’s browser credentials (e.g. session cookie) resulting in harm such as the following: changing profile data (e.g. username, password, email, etc.), transferring money, making purchases, etc.
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post.
Comments
-
Sharkbait Member Posts: 35 ■■□□□□□□□□Here is the explanation I have...
While XSS exploits the trust a user has for a website, XSRF exploits the trust that a website has for a browser.
Unauthorized commands are transmitted from the browser.
An example of XSRF is harvesting passwords from the web browsers cache.
The attack works by including a link or script in a page that accesses a secure site to which the user has been previously authenticated.
In XSS, malicious browser scripts are injected when the user fills out a form or clicks on a link at a trusted web site.
So...I'm guessing that XSRF deals with an interaction between the browser and the distant server. the XSS is when a user is entering information into a form, but scripting text gets transmitted instead. So, if the form in question simply has input validation turned on, the attack cannot happen.
Sharkbait -
teancum144 Member Posts: 229 ■■■□□□□□□□Here's a good explanation of CSRF:If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post.