Differentiate between CSRF vs XSS?

CSRF vs XSS In a cross-site request forgery attack, the attacker tries to force/trick you into making a request which you did not intend. This could be sending you a link that makes you involuntarily change your password. A malicious link could look like that: https://security.stackexchange.com/account? new_password=abc123 In a cross-site scripting attack, the attacker makes you involuntarily execute client-side code, most likely Javascript. A typical reflected XSS attacking attempt could look like this: https://security.stackexchange.com/search?q=">[removed]alert([removed])[removed] Both attacks have in common that they are client-side attacks and need some form of user activity (e.g. clicking a link or visiting a website). Unlike RFI or SQLi vulnerabilities, you're attacking a user rather than the server. XSS is generally more powerful than CSRF because it usually allows the execution of arbitrary script code while CSRF is restricted to a particular action (e.g. changing the password). As @Lukas points out, a successful XSS attack also effectively bypasses all anti-CSRF measures.