Options
XSS Attacks
Trying to completely understand the differences. I got the Stored Attack right, but can you guys help me if I got the others right.
Stored Attack = malicious script injection into website's forums, databases and other data. (user is not required to click the link for code to be activated. Once the user visits the page, it automatically activates the script.
Reflected Attack = everything above but difference is user must click on the link for script to activate.
CSRF (XSRF)/Sea Surf/Session Riding = tricking the user to execute unwanted action on an application user is logged in.
I can't distinguish the last two.
Stored Attack = malicious script injection into website's forums, databases and other data. (user is not required to click the link for code to be activated. Once the user visits the page, it automatically activates the script.
Reflected Attack = everything above but difference is user must click on the link for script to activate.
CSRF (XSRF)/Sea Surf/Session Riding = tricking the user to execute unwanted action on an application user is logged in.
I can't distinguish the last two.
"If you want to kick the tiger in his ass, you'd better have a plan for dealing with his teeth."
Comments
-
Options
p@r0tuXus
Member Posts: 532 ■■■■□□□□□□
via Wikipedia:
"Cross-site request forgery ... is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser."Completed: ITIL-F, A+, S+, CCENT, CCNA R|S
In Progress: Linux+/LPIC-1, Python, Bash
Upcoming: eJPT, C|EH, CSA+, CCNA-Sec, PA-ACE -
Options
Nik 99
Member Posts: 154 ■■■□□□□□□□
If I've got this right XSRF isn't about tricking the user at all. What happens is that they perform actions they are utterly unaware of. So purchases from a site where they were just browsing without actually buying anything themselves I guess. Do correct me if I'm wrong, this is my interpretation of how this attack is supposed to play out.
Dunno about the others, they didn't come up in Darriel Gibson's book I think? Though they probably appear in the techexams Sec+ tech notes.
Edit:ah, got beaten to it =P -
Optionspaul78
Member Posts: 3,016 ■■■■■■■■■■
XSS and CSRF are different types of vulnerabilities.
The best way IMO to think about the 2 differences are how the trust between the browser and webapp are exploited.
XSS - trust by the browser of the webapp is exploited.
CRSF - trust by the webapp of the browser is exploited.
There are 3 main types of XSS vulnerabilities:- persistent - sometimes called stored
- reflected
- dom-based
If you are familiar with basic javascript - a better explanation here - https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_****_Sheet
For CSRF - OWASP also has a great explanation here - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)