参考文献

XSS

  • Cross-site scripting (or XSS) 跨站点脚本
  • XSS 是 Web 应用程序中发现的计算机安全漏洞,网络犯罪分子可以利用该漏洞将客户端脚本注入用户查看的网页中.网络犯罪分子使受害者的浏览器执行攻击者在访问受信任网站时注入的脚本(主要用 JavaScript 编写).网络犯罪分子可以通过多种方式将 JavaScript 注入受害者信任的网站.它不需要经过身份验证的会话,并且可以在易受攻击的网站不执行验证或转义输入的基本操作时被利用.

CSRF

  • Cross-site request forgery (or CSRF) 跨站点请求伪造
  • 可以通过多种方式利用它,从在用户不知情的情况下更改用户信息到获得对用户帐户的完全访问权限.网络犯罪分子试图利用现有受害者的上下文(例如 cookie),强迫/诱骗您提出您无意的请求.每次您与网站交互时,其服务器都会检查您随请求发送的 cookie,以便知道是您.
S.No. XSS CSRF
1. XSS stands for Cross-Site Scripting. XSS 代表跨站脚本. CSRF stands for Cross-Site Request Forgery. CSRF 代表跨站请求伪造.
2. The cybercriminal injects a malicious client side script in a website. The script is added to cause some form of vulnerability to a victim. 网络犯罪分子在网站中注入恶意客户端脚本.添加该脚本是为了给受害者带来某种形式的漏洞. The malicious attack is created in such a way that a user sends malicious requests to the target website without having knowledge of the attack. 恶意攻击的方式是用户在不知道攻击的情况下向目标网站发送恶意请求.
3. In this, injection of arbitrary data by data that is not validated. 在此,通过未经验证的数据注入任意数据. It depends on the functionality and features of the browser to retrieve and execute the attack bundle. 检索和执行攻击包取决于浏览器的功能和特性.
4. JavaScript is required to perform this attack. 执行此攻击需要 JavaScript. JavaScript is not required to perform this attack. 执行此攻击不需要 JavaScript.
5. The site accepts the malicious code. 该网站接受恶意代码. The malicious code is stored in third party sites. 恶意代码存储在第三方站点中.
6. The site that is vulnerable to XSS attacks is also vulnerable to CSRF attacks. 容易受到 XSS 攻击的网站也容易受到 CSRF 攻击. The site that is completely protected from XSS attack types is still vulnerable to CSRF attacks. 完全免受 XSS 攻击类型影响的站点仍然容易受到 CSRF 攻击.
7. XSS is more harmful as compared. 相比而言,XSS 的危害性更大. CSRF is less harmful as compared. 相比之下,CSRF 的危害较小.
8. Using XSS vulnerability the attacker can do anything he/she wants. 利用 XSS 漏洞,攻击者可以为所欲为. Using CSRF vulnerability the attacker can do only what the vulnerable urls do. 利用 CSRF 漏洞,攻击者只能执行易受攻击的 URL 执行的操作.