Difference Between CSRF and XSS

Difference Between CSRF and XSS

CSRF (also known as XSRF)

Using CSRF, attacker is forcing victim to execute unwanted actions on web application and exploiting the trust between site and authenticated user. This may achieve with the help of sending a link via WhatsApp/email/chat (any social engineering techniques).

Attacker tricks the victim using numerous ways because many users browse multiple sites in parallel, and users often do not explicitly log out when they finish using a website. A CSRF attack can also be carried out without a user visiting a malicious webpage.

No browser flaws may be exploited by a CSRF attack. Simply visiting a rogue URL while logged into the susceptible website can cause unwanted activities to be carried out there.

How CSRF Attack Happen:

Let’s take an example Victim is accessing the bank account along with browses some other shopping websites say ‘www.shoppingsite.com’, which contains a link. This link is nothing but have a hidden form and a piece of JavaScript when user visits the webpage, the browser silently submits this hidden form to ‘Yourbank.com’.

Attackers has to pre-work for generating such links which should be simulating the exact format and content of the request as triggered by legitimate user like when he/she wanted to submit some online bills.

Since this forum is exact a copy like “pay bill” form provided by the bank so the victim’s browser automatically attaches authentication cookies to this request and generally session is active then request will be processed by the server, victim will aware about this after amount deduction.

HOW F5 BIG-IP ASM does CSRF protection

ASM will insert the JavaScript which in turns rewrites the URIs when ASM engineer enables CSRF feature a cross-site response token (CSRT) is used in response page. If CSRF related attack happens it means the attacker is sending similar request but without CSRT and henceforth system issues a CSRF attack detected violation.

In addition, these tokens have some default aging timer also, If the token is expired, the system issues a CSRF authentication expired violation.

Example, original URI reference:

<a href=”https://test.netminion.net/default.php”>

After enabling CSRF protection feature, same request will get rewrite as follows:

<a href=”https://test.netminion.net/default.php?CSRT=13478375473454435234″>

Some more supporting documents on CSRF Attack are as follows –

https://owasp.org/www-community/attacks/csrf

https://support.f5.com/csp/article/K11930

Cross Site Scripting (XSS)

It is a type of injection attack where malicious code get injected into trusted websites.

Cross-site scripting flaws typically allow an attacker to pretend to be a victim user, conduct any actions the user is capable of performing, and access any data the user has stored.

JavaScript is a common example of dangerous content that is delivered to a web browser, but it can also be in form of HTML, Flash, or any other type of code that the browser is capable of executing. The number of XSS-based attacks is practically infinite, although they frequently involve sending sensitive information to the attacker, such as cookies or other session data, rerouting the victim to their own online content, or abusing the user’s computer while impersonating the vulnerable website.

One of the most prevalent types of cyber-attacks is XSS where JavaScript code fragments are frequently used to send malicious scripts, which the victim’s browser then runs. Although XSS assaults can be dangerous, it is generally simple to stop the flaws that make them possible. However, the attacker chooses to distribute the malicious script through a website the victim visits rather than directly targeting the victim.

In general, while in CSRF victim will send the request to banking website unknowingly because of clicking on the link received by any social engineering, whereas in XSS victims all information can steal including session cookies so XSS is more dangerous than CSRF. Cross-site Scripting (XSS) is a client-side code injection attack.

There are three types –

Stored XSS – In this type the script is induced which is malicious payload stored in a database which also known as persistent XSS and it is most damaging and will be permanently stored like in database. When legitimate user will open such page XSS attacks will appears.

Reflected XSS – This is a non-persistent attack which means every time attacker has to sent and to different users for making the attack happen. It is a common type of XSS appears, where different social engineering methods got utilized.

DOM-based XSS (document object model) – It is most advanced attack pattern, where client-side attack happens and the request is manipulated while procession DOM data. Malicious script not sending to the server this time.

By leveraging the attack signature functionality or predefined meta characters, the BIG-IP ASM can reduce the impact of XSS attacks. These methods presume that the default configuration is created and detail the steps required to mitigate an XSS attack using the proper attack signatures.

We also offer a diverse library of pre-recorded videos for any online training or buy self-paced courses.
“Get enrolled now”.

 Email:info@netminion.net, netminionsolutions@gmail.com
 Helpline: +91-9599857762(IN), + 19024124779 (CA)
 LinkedIn: https://www.linkedin.com/in/netminion-solutions/
 Website: https://netminion.net
 Videos Website: https://videos.netminion.in
Telegram Channel: https://t.me/NetMinionSolitionsOffical
 Buy a Rack Rental : https://labs.netminion.net/page/login/index.php

Keep Learning! Keep Growing! Keep investing!

Welcome to NetMinion Solutions, a leading education training institute/company to nurture minds and fostering a passion for learning. No matter if you are a beginner or a professional – our dedicated faculty and state-of-the-art facilities create an enriching environment where you can explore, innovate, and grow exponentially – academically and personally both.

We are committed to practical learning and provide cutting-edge lab solutions, to enhance your learning journey – including CCNA, CCNP & CCIE, data center, Wireless, Cloud, VMware, F5 -LTM, GTM, ASM, APM, Palo Alto, SD-WAN, Checkpoint, ACI and list goes on.