CSS vs CSRF

teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
I've been a little confused about the difference between cross-site scripting (CSS) and cross-site request forgery (CSRF). After some research, I've come up with the following summaries:
  • CSS: This attack exploits the trust a user has for a particular website or email. An attacker compromises a website (or crafts an email) with a link that includes malicious code (e.g. HTML code, JavaScript, etc.). When a user selects the link, the malicious code runs on the user’s system, resulting in harm such as the following:
    • Opens other webpages, pop-ups, etc.
    • Read passwords from web-browser cache
    • Steal sensitive data from users’ cookies
  • CSRF: This attack exploits the trust a website has for a user’s browser. An attacker compromises a website (or creates an email) with a link that includes malicious code (e.g. HTML code, JavaScript, etc.). When a user selects the link, the malicious code accesses a third-party website (e.g. the user’s bank) that trusts the user’s browser credentials (e.g. session cookie) resulting in harm such as the following: changing profile data (e.g. username, password, email, etc.), transferring money, making purchases, etc.
From what I can tell, both attacks are initiated using similar methods, but the goal (and resulting harm) is different. Please confirm my understanding or help improve my understanding if I'm incorrect.
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D

Comments

  • SharkbaitSharkbait Member Posts: 35 ■■□□□□□□□□
    Here is the explanation I have...

    While XSS exploits the trust a user has for a website, XSRF exploits the trust that a website has for a browser.
    Unauthorized commands are transmitted from the browser.
    An example of XSRF is harvesting passwords from the web browsers cache.
    The attack works by including a link or script in a page that accesses a secure site to which the user has been previously authenticated.

    In XSS, malicious browser scripts are injected when the user fills out a form or clicks on a link at a trusted web site.

    So...I'm guessing that XSRF deals with an interaction between the browser and the distant server. the XSS is when a user is entering information into a form, but scripting text gets transmitted instead. So, if the form in question simply has input validation turned on, the attack cannot happen.

    Sharkbait
  • teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
    If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D
Sign In or Register to comment.