Cross-Site Request Forgery (CSRF) is one of the most pressing online threats listed under “The OWASP Top 10” — the list ranking the top ten online threats.
Cross-Site Request Forgery is a dangerous yet interesting threat. Why? It allows an attacker to hijack your online actions by tricking you to perform them involuntarily. But how is it possible? How does it compare with other popular online attacks — especially Cross-site Scripting (XSS)? Let’s discuss in detail.
What is Cross-Site Request Forgery?
Cross-Site Request Forgery (CSRF) is an attack which tricks the user’s browser to execute malicious actions in a logged-in application or website on behalf of the user. CSRF is also known as Sea Surf, Session Riding, and XSRF.
Of course, the user is completely unaware of the attack and the actions taken in his or her behalf until it’s too late. That’s why CSRF is a dangerous attack vector. For example, let’s say you logged-in to your bank account, and the hacker takes control of your browser and transfer your funds to his bank account.
How a CSRF Attack is Executed?
A CSRF attack is mostly carried out using social engineering techniques like an email or a link (which may come through social media sites). It usually makes a forged request to a website that’s already logged-in by the targeted user.
Since the user is already logged in and is targeted via social engineering, he is mostly unaware of the attack. Also, the server thinks the request is created by the user (since he’s already authenticated), making it hard to detect an attack.
What is Cross-site Scripting (XSS)?
Cross-site Scripting (XSS) is an attack where an attacker injects client-side malicious scripts into a web page opened by other users. Using the injected scripts, the attacker can bypass access controls and user authentication.
Cross-site Scripting — like Cross-Site Request Forgery — is also listed under “The OWASP Top 10”, i.e., it’s also one of the common online attack vectors like CSRF. It’s a highly dangerous attack vector whose effects may vary from nuisance to severe security risks depending on the sensitivity of the target website.
For instance, if an attacker is able to inject a malicious script in a banking site, he might direct users’ funds from their account to his account. However, if he/she attacks a to-do website, he/she may just access or steal the users’ to-do lists. Of course, the actual damage depends on the sensitivity of the to-do items.
How an XSS Attack is Executed?
An XSS attack is usually executed in two steps. First of all, the attacker finds a way to inject malicious code (JavaScript) into a website. It may utilize one of the vulnerabilities present in the web app or site (say using one of its bugs).
Then, he/she baits the victim to access the compromised app or website. He may target the individuals using phishing and/or social engineering techniques to send a file or link to the targeted users, which opens the target website.
How is CSRF Different from XSS?
Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS) are two varied attack vectors with a lot of differences and a few similarities as well. That said, let’s discuss their similarities first, then we can check out the differences.
First of all, CSRF and CSS (News - Alert) are client-side attacks, i.e., they’re executed on the client’s (user’s) computer rather than the app’s or site’s server. Then, they both require the user to perform some activity such as clicking a URL or visiting a site for the attack to become successful. Now, let’s discuss their dissimilarities.
1] Vulnerabilities’ Basics
“XSS uses the trust that a user has in a website; CSRF uses the trust that a website has in a user's browser,” writes ThreeShield Information Security Corporation while explaining the (basic) layman difference between CSRF and XSS.
In a Cross-Site Request Forgery attack, the attacker forces or tricks you to perform an unwanted request or operation. Let’s say, it may make you change your account password or your user details without knowing about it.
However, in a Cross-site Scripting attack, the attacker makes or tricks you to execute unwanted malicious code, which may perform some involuntary tasks or steal your data. Let’s say, it may read and steal your account-related cookies.
Additionally, CSRF usually affects just a single user whose computer’s browser is targeted by the attacker. However, if the site is vulnerable to XSS, the attacker may plan an attack causing greater damage or affecting a lot many users.
2] One-way vs. Two-way
CSRF can be defined as a one-way vulnerability in which an attacker may make a forged request to the server using the already authenticated user’s credentials. But XSS is a two-way vulnerability in which an attacker may make requests, read their results (output data), and even transfer that data to his server.
3] Their Severity Levels
In terms of doing possible damage, Cross-site Scripting (XSS) is more severe than Cross-Site Request Forgery (CSRF). Why? XSS allows running any arbitrary code, which may contain or implement many malicious actions. However, CSRF is usually restricted to hijacking a single action (say, changing the password).
Let’s discuss it further. An XSS exploit allows an attacker to perform almost all actions allowed or applicable for the user regardless of the action or feature was vulnerable or not. That means, if it’s successful using a bug in feature #A, it may also perform feature #B and feature #C on behalf of the user — involuntarily.
Though CSRF and XSS have their differences, they can be used together as well, causing even greater damage. “One is used to run untrusted code while the other is used to hijack authentication. The combined effect of these issues can be quite powerful,” mentions a post published by Tripwire’s The State of Security.
For instance, a website’s admin form is susceptible to XSS. Then, an attacker can dupe its administrators to run some malicious code, which further spreads the attack to other users of the website, which was not possible using just CSRF.
Nevertheless, CSRF and XSS are a few of the dangerous vulnerabilities which must be secured within a web app or website. What do you think? Did you find this post helpful? Please write a comment below to post your feedback.
