XSS vs. CSRF
Differences between XSS and CSRF
XSS allows an attacker to execute arbitrary JavaScript within the browser of a victim user.
CSRF allows an attacker to induce a victim user to perform actions that they do not intend to.
The consequences of XSS vulnerabilities are generally more serious than for CSRF vulnerabilities:
Different Scopes
CSRF often only applies to a subset of actions that a user is able to perform. Many applications implement CSRF defenses in general but overlook one or two actions that are left exposed.
Conversely, a successful XSS exploit can normally induce a user to perform any action that the user is able to perform, regardless of the functionality in which the vulnerability arises.
One-way vs. Two-way
CSRF can be described as a "one-way" vulnerability, in that while an attacker can induce the victim to issue an HTTP request, they cannot retrieve the response from that request.
Conversely, XSS is "two-way", in that the attacker's injected script can issue arbitrary requests, read the responses, and exfiltrate data to an external domain of the attacker's choosing.
CSRF Tokens for XSS
Some XSS attacks can be prevented through effective use of CSRF tokens.
Consider a simple reflected XSS vulnerability that can be trivially exploited like this:
Now, suppose that the vulnerable function includes a CSRF token:
Assuming that the server properly validates the CSRF token, and rejects requests without a valid token, then the token does prevent exploitation of the XSS vulnerability. The clue here is in the name: "cross-site scripting", at least in its reflected form, involves a cross-site request. By preventing an attacker from forging a cross-site request, the application prevents trivial exploitation of the XSS vulnerability.
Reference
Last updated