Difference Between XSS and CSRF

XSS = Cross-Site Scripting ,  CSRF = Cross-Site Request Forgery

XSS

It is a script injected inside the web application of the (innocent) host by

• Inserting script into the inputs of the website such as comment box, which will then be executed when users use the website.
• Placing it in the URL of the query string of actual host and letting the user click the link.

XSS is executed inside the host domain so that it is more affective and can bypass a lot of browser's prevention. It can read all the information from the local storage or cookies written by the targeted host and can send this information over to malicious website for further actions.

The protection is to sanitize all the user inputs and to encode and escape all the character so that the injected code doesn't execute when it gets rendered on the browser. Full explanation can be found on the OWASP website.

CSRF

As the name implies, this is meant to trick user into doing some unintended action. This is done by simulating legitimate action performed by the URL but with a different parameters and send it to unaware users pretending to be an innocent link.

https://www.some-legitimate-bank.com?action=transfer_money_to_hacker_account&value=1000

If the user clicks the link crafted and given by malicious hacker while his browser session on the targeted website is still alive, it will end up performing the action intended by the malicious hacker.

CSRF can be prevented by one-time challenge called CSRF token and most of the reputable modern web frameworks has it built-in. Full explanation on how to protect it is explained also on OWASP website