Explain CSRF vs XSS vs SSRF.
CSRF tricks a logged-in user’s browser into making unintended requests, XSS injects malicious scripts into web pages, and SSRF abuses servers to fetch unauthorized internal or external resources.
When to Use
- CSRF: Attacks logged-in sessions (e.g., forcing a bank transfer).
- XSS: Exploits unsanitized inputs (e.g., malicious comment with
<script>). - SSRF: Targets server fetch requests (e.g., image loader accessing private IPs).
Example
- Clicking a hidden transfer link (CSRF)
- Posting a harmful script in a comment (XSS)
- Making a server call internal resources (SSRF)
Want to go deeper?
Explore Grokking System Design Fundamentals, Grokking the System Design Interview, or prepare with Mock Interviews with ex-FAANG engineers.
Why Is It Important
Each attack undermines trust differently: CSRF exploits user trust, XSS abuses site trust, and SSRF exploits server trust.
Interview Tips
Explain them as:
- CSRF → “User trusted by site.”
- XSS → “Site trusted by user.”
- SSRF → “Server trusted by network.” Keep answers short with one clear example.
Trade-offs
No one-size defense: CSRF tokens prevent CSRF, sanitization stops XSS, network rules protect SSRF—but each adds dev effort and complexity.
Pitfalls
Common mistakes: mixing up CSRF with XSS, skipping input validation, or assuming firewalls alone prevent SSRF.
GET YOUR FREE
Coding Questions Catalog
$197
$78
$78
