“XSS vs CSRF – What is more dangerous? There’s been a lot of talk of lately about the ‘new’ Cross Site Request Forgery (CSRF) vulnerabilities that are apparently present in nearly every web application in the world. The fact that big name websites (read: yahoo & google) have this vulnerability make people even more scared.”
The requirements for a successful XSS exploit requires the following:
1. XSS vulnerability existing on the application (preferably before login).
2. A method to induce the execution of a script (eg. phishing email).
3. An effective script to steal user information.
The requirements for a CSRF exploit are in fact more stringent:
1. A form that is vulnerable to CSRF.
2. A method to induce execution of the request.
3. A successful form submission method.
4. A vulnerable form that provides an attacker with a useful attack vector.
5. Access to the form (since forms often exist after login).