search

XSS vs. CSRF

hashtag
Differences between XSS and CSRF

circle-info

  • XSS allows an attacker to execute arbitrary JavaScript within the browser of a victim user.

  • CSRF allows an attacker to induce a victim user to perform actions that they do not intend to.

The consequences of XSS vulnerabilities are generally more serious than for CSRF vulnerabilities:

  • Different Scopes

    • CSRF often only applies to a subset of actions that a user is able to perform. Many applications implement CSRF defenses in general but overlook one or two actions that are left exposed.

    • Conversely, a successful XSS exploit can normally induce a user to perform any action that the user is able to perform, regardless of the functionality in which the vulnerability arises.

  • One-way vs. Two-way

    • CSRF can be described as a "one-way" vulnerability, in that while an attacker can induce the victim to issue an HTTP request, they cannot retrieve the response from that request.

    • Conversely, XSS is "two-way", in that the attacker's injected script can issue arbitrary requests, read the responses, and exfiltrate data to an external domain of the attacker's choosing.

hashtag
CSRF Tokens for XSS

circle-info

Some XSS attacks can be prevented through effective use of CSRF tokens.

Consider a simple reflected XSS vulnerability that can be trivially exploited like this:

https://insecure-website.com/status?message=<script>/*+Bad+stuff+here...+*/</script>

Now, suppose that the vulnerable function includes a CSRF token:

Assuming that the server properly validates the CSRF token, and rejects requests without a valid token, then the token does prevent exploitation of the XSS vulnerability. The clue here is in the name: "cross-site scripting", at least in its reflected form, involves a cross-site request. By preventing an attacker from forging a cross-site request, the application prevents trivial exploitation of the XSS vulnerability.

hashtag
Reference

LogoXSS vs CSRF | Web Security AcademyWebSecAcademychevron-right
XSS vs CSRF - Web Security Academy
PreviousClient-Side Request Forgery (CSRF)NextCSRF Tokens and SameSite Cookies

Last updated