1. XSS:
XSS是在Web应用程序中发现的计算机安全漏洞,它使网络犯罪分子能够将客户端脚本注入到用户查看的网页中。网络罪犯使受害者的浏览器执行脚本(通常以JavaScript编写),攻击者在访问受信任的网站时会注入该脚本。网络犯罪分子可以通过多种方式将JavaScript注入受害者信任的网站中。它不需要经过身份验证的会话,并且在易受攻击的网站不执行验证或转义输入的基础知识时可以被利用。
2. CSRF:
跨站点请求伪造是最严重的计算机安全漏洞之一,从不知情的情况下更改用户信息到获得对用户帐户的完全访问权限,可以通过多种方式加以利用。网络犯罪分子试图利用现有受害者的环境(例如cookie)来强迫/欺骗您提出您不想要的请求。每次您与网站互动时,它的服务器都会检查您随请求发送的cookie,以便知道是您自己。
XSS和CSRF之间的区别:
| S.No. | XSS | CSRF |
|---|---|---|
| 1. | XSS stands for Cross-Site Scripting. | CSRF stands for Cross-Site Request Forgery. |
| 2. | The cybercriminal injects a malicious client side script in a website. The script is added to cause some form of vulnerability to a victim. | The malicious attack is created in such a way that a user sends malicious requests to the target website without having knowledge of the attack. |
| 3. | In this, injection of arbitrary data by data that is not validated. | It depends on the functionality and features of the browser to retrieve and execute the attack bundle. |
| 4. | It has a requirement of JavaScript. | It does not has requirement of JavaScript. |
| 5. | The site accepts the malicious code. | The malicious code is stored in third party sites. |
| 6. | The site that is vulnerable to XSS attacks is also vulnerable to CSRF attacks. | The site that is completely protected from XSS attack types is still vulnerable to CSRF attacks. |
| 7. | XSS is more harmful as compared. | CSRF is less harmful as compared. |
| 8. | Using XSS vulnerability the attacker can do anything he/she wants. | Using CSRF vulnerability the attacker can do only what the vulnerable urls do. |