How does csrf attacks work?

An example:

Suppose that you have a page that deletes users, like user_delete.php?id= . On that page you take the id, verify in the session that the user has acces to delete that user, and you delete the user.

Now suppose that  a user is able to put an image tag in your page, and it gets interpreted as html code. Now, all an "evil user" has to do is make a story with a tag like <img src="user_delete.php?id=3" />. What will happen when an admin sees that page? The browser doesn't care that the src from the image is not a picture and will actually request user_delete.php?id=3 . That page will check if the user requesting the page has access to it; and he does; the person that requested the page is logged in the admin account. Bye bye user with id 3.

I learned about this while i was testing the cake php framework. It's a pretty nice thing to know.

How does xss attacks work?

You can find a very detailed example here about how to exploit xss vulnerabilities in a site. Xss is basicly HTML injection. When a user can inject code into your page, because you don't filter the output, he can for instance steal your cookies, and your php session.

The basic defense against csrf is to never use GET requests to make modification on the server. Use GET to retrieve data from the server and POST to create/update/remove data from the server. This is the standard.

The basic defense against xss attacks is to  be very careful how you output user contributed content in a page (use functions like strip_tags and htmlspecialchars).