To sum up ,the vulnerability CSRF allows an attacker to use existing functionalities of a web application. In a bank application , an attacker could force a customer to use the existing feature of transferring money to “attacker’s account”.
More detailed explanation of the differences :
Fundamental difference is that CSRF (Cross-site Request forgery) happens in authenticated sessions when the server trusts the user/browser, while XSS (Cross-Site scripting) doesn’t need an authenticated session and can be exploited when the vulnerable website doesn’t do the basics of validating or escaping input.
Owasp made a top-10 of the most common vulnerabilities in web applications.This classification did not change from 2013 to 2017.
Basically one solution against this attack is to append a unique identifier to the POST form and let the server verify the identifier. POST form request is usually used to modify data. That’s usually what attacker will try to use when exploiting CSRF vulnerability. GET requests are normally used to retrieve information.
In Java the framework Spring Security used an unique identifier as anti CSRF technique : https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html
How to test for CSRF vulnerability ?
XSS happens when we don’t escape characters and validate input .Typically this vulnerability allows an attacker to send input with the intention to retrieve sensitive information(for example cookie) from the website.
There are different types of XSS attacks :
Stored XSS attacks
Reflected XSS attack
It is very similar to a stored XSS attack except the malicious code is not stored. The malicious code can be executed on the web browser.
How to test for XSS vulnerability ?
Test Reflected XSS attack
Test Stored XSS attack
This webpage explained how to test a website for stored XSS vulnerability.
Basically input should be checked for special characters. Input should be validated and verified.
Detailed XSS Explanation
There are many websites explaining in details XSS attacks. This one explained in details the scenarios of attacks :
This other website gives an overview of the difference between the XSS types
Framework Gwt offers some protection
On one application ,the scanner Zap Proxy did not found any of these vulnerabilities(XSS-CSRF). This webapp used the framework Gwt. By default it has limited protection against these vulnerabilities. But it is possible to test Gwt more in depth for vulnerabilities with this tool : https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset