Why CSRF Is Not The Same As XSS

Since HackerOne came into the system to create close connection between white hats and tech. companies (primarily for security reasons), we have come across terminologies like CSRF, XSS, SQLi and the Poisoned null byte. These terminologies are part of today’s most common, harmful vulnerabilities affecting web applications.  Major tech. companies (Google, PayPal, Uber, and Twitter) have benefited from white hats or security researchers like @Rafaybaloch,  filedescriptor , and Egor Hakimov’s  willingness to help detect hidden bugs or technical mistakes yet unknown to  developers and programmers.

However, it seems outsiders still find it difficult to differentiate between XSS and CSRF.  We should not interchange XSS with CSRF.  XSS and CSRF don’t apply to each other.

Definition of XSS

XSS simply means cross site scripting.  XSS is a code attack method used by hackers to inject malicious script.

In XSS attack, attackers exploit the trust the user has for a particular webiste. Generally like all injection attacks, XSS takes advantage of the fact that browser’s can’t tell a valid markup. The attackers do not directly target their victims. They look for vulnerability in a website to inject and deliver malicious scripts for users.

Attackers inject malicious javascript into one of the pages that

Read more ... source: TheBitcoinNews