Cross Site Scripting (XSS): Injects malicious scripts into trusted websites, Exploits the user’s trust in a website’s content., The victim is the user, who unknowingly runs malicious scripts., The user’s browser executes the attacker’s script as if it were legitimate., Often used to steal session cookies, tokens, or sensitive user data., Requires improper output validation or lack of input sanitization., Common injection points include forms, search bars, comment sections, and URLs., The attack payload is typically JavaScript or other client-side code., Can affect multiple users who load the compromised page., Can be persistent (stored on the site) or reflected (bounced through a request)., CSRF: Exploits the website’s trust in the authenticated user’s browser., The victim is typically the website, which processes unauthorized actions., Relies on the user’s browser sending legitimate session cookies with the forged request., Often used to perform actions like changing account details or transferring funds., Requires state-changing requests (such as POST, PUT, DELETE)., Triggered by the user clicking malicious links, loading images, or submitting hidden forms., The attack payload is an unauthorized HTTP request, not executable script., Only affects authenticated users who are logged in while visiting the attack page., Requires no persistence on the target site; the attacker must craft each malicious request.,

Security+, CySA+ - XSS vs CSRF (Get Tutoring @LandTechJobs.com)

by
Print
Embed

Leaderboard

Visual style

Options

Switch template

Continue editing: ?