XSS vs. CSRF
Differences between XSS and CSRF
The consequences of XSS vulnerabilities are generally more serious than for CSRF vulnerabilities:
Different Scopes
CSRF often only applies to a subset of actions that a user is able to perform. Many applications implement CSRF defenses in general but overlook one or two actions that are left exposed.
Conversely, a successful XSS exploit can normally induce a user to perform any action that the user is able to perform, regardless of the functionality in which the vulnerability arises.
One-way vs. Two-way
CSRF can be described as a "one-way" vulnerability, in that while an attacker can induce the victim to issue an HTTP request, they cannot retrieve the response from that request.
Conversely, XSS is "two-way", in that the attacker's injected script can issue arbitrary requests, read the responses, and exfiltrate data to an external domain of the attacker's choosing.
CSRF Tokens for XSS
Consider a simple reflected XSS vulnerability that can be trivially exploited like this:
https://insecure-website.com/status?message=<script>/*+Bad+stuff+here...+*/</script>Now, suppose that the vulnerable function includes a CSRF token:
https://insecure-website.com/status?csrf-token=CIwNZNlR4XbisJF39I8yWnWX9wX4WFoz&message=<script>/*+Bad+stuff+here...+*/</script>Assuming that the server properly validates the CSRF token, and rejects requests without a valid token, then the token does prevent exploitation of the XSS vulnerability. The clue here is in the name: "cross-site scripting", at least in its reflected form, involves a cross-site request. By preventing an attacker from forging a cross-site request, the application prevents trivial exploitation of the XSS vulnerability.
Reference
Last updated
Was this helpful?