Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.
Suppose a website has a search function which receives the user-supplied search term in a URL parameter:
The application echoes the supplied search term in the response to this URL:
<p>You searched for: hello</p>
Assuming the application doesn’t perform any other processing of the data, an attacker can construct an attack like this:
This URL results in the following response:
<p>You searched for: <script>/* Bad stuff here… */</script></p>
If another user of the application requests the attacker’s URL, then the script supplied by the attacker will execute in the victim user’s browser, in the context of their session with the application.
AFFECT OF THE VULNERABILITY
If an attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user. Among other things, the attacker can:
- Perform any action within the application that the user can perform.
- View any information that the user is able to view.
- Modify any information that the user is able to modify.
- Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
There are various means by which an attacker might induce a victim user to make a request that they control, to deliver a reflected XSS attack. These include placing links on a website controlled by the attacker, or on another website that allows content to be generated, or by sending a link in an email, tweet or other message.
Because of the external delivery mechanism for the attack means that the impact of reflected XSS is generally less severe than stored XSS, where a self-contained attack can be delivered within the vulnerable application itself.
REAL WORLD EXAMPLE OF THIS VULNNERABILITY:
Steps To Reproduce:
How this can be done by attacker
As this injection happens in a GET parameter, the attacker simply needs to send the crafted Link that produces this GET request to the victim and have the victim click it.