Triggering Javascript by user-agent string. CSRF or XSS?

I've read several PHP-security books, but after reading one I got confused about the definition of a CSRF (Cross-Site Request Forgery). Wikipedia explains it as this:

Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

Normally this exploits goes about sending two requests, one for getting a token, and one for getting a token to reset e.g an administrator account. By example exploiting the vulnerability where a website generates weak entropy tokens by using e.g mt_srand(). Right?

But what if a website logs which browser you're using by collecting it's user_agent string? E.g: AdminPanel.php:

<?php     $browser = $_SERVER['HTTP_USER_AGENT'];     echo $browser; ?> 

Normally this'd return: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0

But I could edit my user-agent string in Firefox:

+----------------------------+----------+--------+-----------------------------------------------------------------------------------------------------+ | general.useragent.override | user set | string | <script>window.location.replace('');</script> | +----------------------------+----------+--------+-----------------------------------------------------------------------------------------------------+ 

This way the Javascript code would be executed on the Admin-panel. But is this XSS or CSRF? I mean, the website does trust the user's browser to contain valid values. Like Wikipedia says. It doesn't necessary trust 'user-input' like in XSS. I got confused by what CSRF is, I've seen loads of different definitions.



Your example is XSS. The full definition of CSRF from Wikipedia:

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

Example of a CSRF attack: let's say you own a website, and you have a shop where users can buy items using GET requests. An example link would be:, and it doesn't perform any authentication but making sure the user is online. You land on the page - Boom, $30 are withdrawn from your bank account.

Now, an attacker could take that link and mask it inside an email, or by embedding it into a clickable image on an active forum - thus making it appear safe (click here to read more, etc). When a user clicks that link (who does not want to buy that item) - he's automatically charged the $30 which he didn't even want to spend!

The protection against this is fairly simple - You generate a unique CSRF token for every user when his session is created, and force him to pass the token as a parameter. So now your link is Now, an attacker can't send me "malicious" links - because he doesn't know my token!

As you can see, this attack really has nothing to do with Javascript. Your example was reflected XSS (an interesting topic by itself, albeit unrelated to your question so I won't dive into it here)

Category: web application Time: 2016-07-30 Views: 0

Related post

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development


Front-end development


development tools

Open Platform

Javascript development

.NET development

cloud computing


Copyright (C), All Rights Reserved.

processed in 0.108 (s). 12 q(s)