What is the difference between XSS and CSRF vulnerabilities ?

To sum up ,the vulnerability CSRF allows an attacker to use existing functionalities of a web application. In a bank application , an attacker could force a customer to use the existing feature of transferring money to “attacker’s account”.

In other hand XSS vulnerability allow an attacker to “create new functionalities” on the website using Javascript code :

  • Deface the website
  • Send cookies information to an attacker’s website


  • More detailed explanation of the differences :

    Fundamental difference is that CSRF (Cross-site Request forgery) happens in authenticated sessions when the server trusts the user/browser, while XSS (Cross-Site scripting) doesn’t need an authenticated session and can be exploited when the vulnerable website doesn’t do the basics of validating or escaping input.

    https://www.quora.com/What-is-the-difference-between-XSS-and-CSRF-from-their-execution-perspective

    Owasp made a top-10 of the most common vulnerabilities in web applications.This classification did not change from 2013 to 2017.

  • XSS corresponds to A3 – Cross-site scripting
  • CSRF corresponds to A8- Cross-site request forgery
  • https://www.owasp.org/index.php/Top_10_2013-Top_10

    CSRF prevention

    Basically one solution against this attack is to append a unique identifier to the POST form and let the server verify the identifier. POST form request is usually used to modify data. That’s usually what attacker will try to use when exploiting CSRF vulnerability. GET requests are normally used to retrieve information.

    In Java the framework Spring Security used an unique identifier as anti CSRF technique : https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html

    How to test for CSRF vulnerability ?

    https://www.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005)

    XSS types

    XSS happens when we don’t escape characters and validate input .Typically this vulnerability allows an attacker to send input with the intention to retrieve sensitive information(for example cookie) from the website.

    There are different types of XSS attacks :

  • Stored XSS attacks
  • Reflected XSS attack
  • Stored XSS attacks

    This is the worse XSS vulnerability to have on one website. Indeed if the malicious javascript code is stored in the database, potentially this malicious code could be executed in different webpages of the website.

    Reflected XSS attack

    It is very similar to a stored XSS attack except the malicious code is not stored. The malicious code can be executed on the web browser.

    How to test for XSS vulnerability ?

    Test Reflected XSS attack
    In the following example i have added some Javascript code into the input “info”.If the cookie is written back to the screen , this website is sensitive to XSS attack :

    function.do?info=blah<script>alert(document.cookie)</script>
    

    https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)

    Test Stored XSS attack
    This webpage explained how to test a website for stored XSS vulnerability.
    https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)

    XSS prevention

    Basically input should be checked for special characters. Input should be validated and verified.

  • One solution is to use Regex to escape characters.
  • Another solution is to use existing libraries to avoid XSS. In Java ESAPI seems like a robust library : https://github.com/esapi/esapi-java-legacy
  • How to avoid XSS and allow HTML tags with javascript :
    https://stackoverflow.com/questions/19824338/avoid-xss-and-allow-some-html-tags-with-javascript/19943011#19943011

    Detailed XSS Explanation

    There are many websites explaining in details XSS attacks. This one explained in details the scenarios of attacks :
    https://excess-xss.com/.

    This other website gives an overview of the difference between the XSS types
    http://deadlytechnology.com/web-development/xss/

    Framework Gwt offers some protection

    On one application ,the scanner Zap Proxy did not found any of these vulnerabilities(XSS-CSRF). This webapp used the framework Gwt. By default it has limited protection against these vulnerabilities. But it is possible to test Gwt more in depth for vulnerabilities with this tool : https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset

    Advertisements

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s