I think cross site scripting means stealing session cookies,login information forexample a hacker posts the code into the comment section while crsf means that the attacker uses the fact that the user has already logged into his account forexample a malicious email can be sent to the login user with a hidden link
From my experience, XSS is a common vulnerability where attackers inject malicious scripts into a website, which then run in a user’s browser. This can lead to stolen data, unauthorized actions, or even complete session hijacking if not properly mitigated.
For example, if an attacker injects a malicious script into a comment section on a site, when other users view the page, the script executes and can steal their login credentials or perform actions on their behalf.
CSRF is another vulnerability I’ve come across often, where an attacker tricks an authenticated user into performing actions they didn’t intend to. This can happen because the website trusts the user’s browser, not realizing that the request is forged.
Take online banking, for example. An attacker can send a specially crafted email with a link that, when clicked, initiates a bank transfer using the user’s own credentials, without their knowledge.