CSRF vs XSS: Clarifying things…
You have probably crawled the web for info on these 2 security related risks and realised that is quite difficult to distinguish an attack and determine whether that attack takes advantage of a XSS or a CSRF bug/weakness…
IMO, XSS has to do with user input filtering/validation and the code devoted to the cause of preventing malicious input through a i.e. search textbox on a site. The more you try to filter characters like , ;, %, # the more you protect your site against XSS attacks. So, XSS = poor input/character validation.
In the case of CSRF (aka session riding), the attacker has to predict, in some way, the structure of the app/site he is trying to attack and a valid user’s typical functions on the site. In fact, he has to know the actual operations performed by a site’s user and the way the requests for those are made (GET or POST) along with the session/state mechanisms introduced and deployed by the site. This is the actual meaning of the hype term: predictable structure for invocation. Keep in mind that the best way to know a site is to become a member, so this brings us to the worst case of stored CSRF attacks, according to which the site that is under attack and the actual carrier of the malicious coding is the same.
More to the story of CSRF and XSS as it develops…
