| Name |
Reflected XSS |
|
| Likelyhood of attack |
Typical severity |
| High |
Very High |
|
| Summary |
This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is "reflected" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application. |
| Prerequisites |
An application that leverages a client-side web browser with scripting enabled. An application that fail to adequately sanitize or encode untrusted input. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Survey the application for user-controllable inputs] Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application. |
- Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
- Use a proxy tool to record all links visited during a manual traversal of the web application.
- Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
|
| 2 |
Experiment |
[Probe identified potential entry points for reflected XSS vulnerability] The adversary uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. |
- Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
- Use a proxy tool to record results of manual input of XSS probes in known URLs.
- Use a list of HTML special characters to inject into parameters of known URLs and check if they were properly encoded, replaced, or filtered out.
|
| 3 |
Experiment |
[Craft malicious XSS URL] Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim. |
- Change a URL parameter to include a malicious script tag.
- Send information gathered from the malicious script to a remote endpoint.
|
| 4 |
Exploit |
[Get victim to click URL] In order for the attack to be successful, the victim needs to access the malicious URL. |
- Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
- Put the malicious URL on a public forum, where many victims might accidentally click the link.
|
|
| Solutions | Use browser technologies that do not allow client-side scripting. Utilize strict type, character, and encoding enforcement. Ensure that all user-supplied input is validated before use. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-63 |
An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect. |
|