Cross-site Scripting (XSS) - Reflected (CWE-79)

Overview

Description

Reflected XSS is a pure form of XSS where the malicious Script is injected through request, reflect via response, and then executed in the browser.

An attacker may craft such malicious requests and send it to the victim as a link or maybe in different formats to attract the user.

Reflected XSS is valid only for that request, or that session.

Example

Consider a simple site, which displays some message, which is passed as getting parameter.

https://www.site.com/msg=Welcome

This will display Welcome on a webpage.

but what is attacker change URL as, https://www.site.com/msg=<script>alert(1)</script>

If there is no input sanitization for parameter msg then, It will be rendered as Script and will execute.

If the victim clicks on such a link, the attacker can do anything which a victim can do on the same site.

Impact

  • Malicious javascript can be executed in victim's browser, which can read anything on that page and modify that webpage (client-side).
  • JavaScript can be used to send XHR (XMLHttpRequest) with any content to any server.
  • An attacker might send cookies to the attacker's server and hijack the session.
  • XSS can be used to bypass CSRT-Token.

Prevention

  • Never Trust user, Validate user input strictly as per expected input.
  • Use HTML Entity Encoding
    • Output generated based on user input should be encoded before putting into html webpage, so that it will not cosidered as active content by web broweser.
    • HTML encoding will convert &, <, >, ", ' into &amp;, &lt;, &gt;, &quot;, &#x27; &#x2F;,
  • Use HTTP response header Content-Type and X-Content-Type-Options

Tools