Allari Inc

Cross-site Scripting (XSS) and Cross-site request forgery (CSRF) are very common client-site attacks against web applications. While XSS execute scripts in the victim’s machine to gain users privileges the CSRF forge request on the victim’s behalf. It’s safe to say that XSS exploits the browser trust in a legit website while CSRF takes advantage of the website’s trust on the user’s browser. What is a cross-site request? Cross-site requests are meant to make websites dynamic such that websites can embed content from other pages. For example, online advertisements use cross-site requests to display images from Amazon, eBay, or other shopping sites. How does CSRF work? CSRF is a type of malicious exploit that forges and sends an HTTP request to a target website through the user machine. An open session on the target website is needed to perform this attack, such that the forget request is sent along with the session cookie. The HTTP request can be trigger using HTML tags or javasc...