What is the Difference Between XSS vs CSRF Attacks and How to Prevent Them?
XSS and CSRF are two of the most common client side attacks. However, they are very different.
In this article, we'll take a look at the difference between XSS vs CSRF attacks and what you can do to prevent these two attacks.
What is a Client Side Attack?
Before we start explaining what are XSS and CSRF attacks, ways to prevent them and the differences between the two, it's important to have a clear understanding of what a client side attack is in the first place.
A client side attack is any type of cyberattack that targets the computer hardware or software, rather than the server (that is a server side attack).
For example, a client side attack can happen if a user downloads a malicious script or clicks on a malicious link which can then infect the victim's browser or computer.
There are six types of client side attacks:
- XSS or Cross-Site Scripting
- CSRF or Cross-Site Request Forgery
- Supply Chain Attack
- Data Exfiltration
In this article, we'll focus on cross-site scripting (XSS) and cross-site request forgery (CSRF) and leave the other four for some other time.
What is XSS (Cross Site Scripting)?
Since the end user's browser can't know that it has received a malicious script via an XSS attack, it will execute it as it will think that it came from a trusted source. Once this happens, the script will be able to access cookies, session tokens and other sensitive information that the web browser normally retains for use with that particular website and it can also rewrite the HTML page contents.
Types of XSS Attacks
There are two main types of cross-site scripting attacks:
- Persistent XSS attacks
These XSS attacks include attacks in which the malicious code is permanently stored on the target website, typically in its database, comment fields, visitor logs, message forums, etc.
When the user requests this information from the web server, they also unknowingly retrieve the malicious script.
This type of cross-site scripting attack is also called Stored XSS.
- Non-persistent XSS attacks
Unlike with persistent XSS attacks, with non-persistent XSS, the malicious code is not permanently stored on the web server. Instead, the code is reflected off the server and then delivered to the victim user via an email message or another website.
When the user performs a legitimate action, such as submitting a form, clicking on a malicious link, or browses to an infected website, the malicious code then travels to that website and reflects back to the victim's browser.
How to Detect and Prevent XSS Attacks?
One of the biggest problems with XSS attacks is that it is difficult for most malware detection systems to detect them.
This is especially true in case of reflected XSS, where the malicious code is not permanently stored on the server.
On the other hand, even with persistent XSS attacks, anti malware might only detect known vulnerabilities that have an attack signature, so it's also not entirely reliable.
Therefore, an organization that wants to protect itself from either reflected or stored cross site scripting attacks needs to evaluate its web application code for XSS vulnerabilities.
This can be done by manually assessing and testing the code, as well as using an automated application testing tool like Nessus or technique.
The reason why we need manual as well as automated testing is because automated tools often don't understand the context of a code and this is where human verification is necessary.
An organization must have a good cyber hygiene to successfully identify and repel these types of attacks and also must follow strong cyber security practices including:
- Control and segment its network
- Clean code
- Enable multi-factor authentication (MFA)
- Educate the team on security (when not to open or download an attachment for instance)
- Continiously check for flaws and patch them
What is Cross Site Request Forgery (CSRF)?
CSRF or cross site request forgery is a web security vulnerability in which the threat actor coaxes the user to perform an action that they do not intend.
What this does is it allows the hacker to bypass the origin policy designed to prevent one website from interfering with another.
This means that a successful CSRF attack requires four conditions to be met:
- There must be a relevant action wihin the application that the attacker can encourage.
- Performing that action leads to a HTTP request.
- The application identifies the user who has made the request based on session cookies.
- There are no parameters that the attacker can't guess or determine.
How to Prevent CSRF?
The most sure-fire way to prevent CSRF attacks is by generating CSRF tokens.
A CSRF token is a unique value generated on the server-side application and sent to the client so that it's included in the following HTTP request that it makes. On the next request, the application checks for the token and if it's not present or is invalid, the request is denied.
The Difference Between Cross Site Scripting and Cross Site Request Forgery
The main difference between XSS vs CSRF is that a CSRF attack requires a user action and an authenticated session.
This means that CSRF can only send a HTTP request but not view the response, while the XSS can both send the HTTP request and receive the response.
Another difference between the two attacks is that CSRF requires an action by the user, like clicking on a malicious link or opening a malicious web page, while XSS only requires a vulnerability.
XSS and CSRF are both serious security vulnerabilities, so hopefully this article has helped you understand them a little better, including the difference between XSS vs CSRF and will give you a good starting point to identify and prevent them in your organization.