Table of Contents
Unlike Cross Site Scripting (XSS) attack, that is used mostly to steal user data, the Cross-Site Request Forgery (CSRF) mostly exploit the weakness in website’s authentication & authorization process and many times both of these attacks are used in combination. Existence of an XSS vulnerability allows attacker to bypass the anti-CSRF mechanisms. Thus Cross Site Scripting misuses the user’s trust on a known web site and the Cross-Site Request Forgery (CSRF) misuse Website’s trust on user requests.
For example consider a scenario that you are browsing a support forum where another user has posted a good answer to your query and posted an image into his detailed response page but the image src element is actually a attack URL i.e. a HTML URL request to your banking website to transfer funds.
In such case if the bank trusts on your browser, it would execute the transfer request. The trust could be assumed because there is a active cookie having valid session/account id issued from for banking site only after proper authentication process. Similarly attacker may lure you to click on a HTML link or an image that may execute java script.
The CSRF vulnerabilities has also resulted in remote code execution with root privileges as well as a vulnerability that can compromise a root certificate, which will completely undermine a public key infrastructure.