CAPEC-591: Reflected XSS

Description

This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is "reflected" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application.

Extended Description

The most common method of this is through a phishing email where the adversary embeds the malicious script with a URL that the victim then clicks on. In processing the subsequent request, the vulnerable web application incorrectly considers the malicious script as valid input and uses it to creates a reposnse that is then sent back to the victim. To launch a successful Reflected XSS attack, an adversary looks for places where user-input is used directly in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attibutes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.

Severity :

Very High

Possibility :

High

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-18: XSS Targeting Non-Script Elements XSS Targeting Non-Script Elements CAPEC-32: XSS Through HTTP Query Strings XSS Through HTTP Query Strings CAPEC-63: Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) CAPEC-86: XSS Through HTTP Headers XSS Through HTTP Headers CAPEC-198: XSS Targeting Error Pages XSS Targeting Error Pages CAPEC-199: XSS Using Alternate Syntax XSS Using Alternate Syntax CAPEC-243: XSS Targeting HTML Attributes XSS Targeting HTML Attributes CAPEC-244: XSS Targeting URI Placeholders XSS Targeting URI Placeholders CAPEC-245: XSS Using Doubled Characters XSS Using Doubled Characters CAPEC-247: XSS Using Invalid Characters XSS Using Invalid Characters

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

An application that leverages a client-side web browser with scripting enabled.
An application that fail to adequately sanitize or encode untrusted input.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Medium Requires the ability to write malicious scripts and embed them into HTTP requests.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

None: No specialized resources are required to execute this type of attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visit http://capec.mitre.org/ for more details.