CAPEC-591: Reflected XSS
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is "reflected" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application.
执行流程
步骤 1 Explore
[Survey the application for user-controllable inputs] Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
- Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
- Use a proxy tool to record all links visited during a manual traversal of the web application.
- Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
步骤 2 Experiment
[Probe identified potential entry points for reflected XSS vulnerability] The adversary uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.
- Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
- Use a proxy tool to record results of manual input of XSS probes in known URLs.
- Use a list of HTML special characters to inject into parameters of known URLs and check if they were properly encoded, replaced, or filtered out.
步骤 3 Experiment
[Craft malicious XSS URL] Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.
- Change a URL parameter to include a malicious script tag.
- Send information gathered from the malicious script to a remote endpoint.
步骤 4 Exploit
[Get victim to click URL] In order for the attack to be successful, the victim needs to access the malicious URL.
- Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
- Put the malicious URL on a public forum, where many victims might accidentally click the link.
前提条件
- An application that leverages a client-side web browser with scripting enabled.
- An application that fail to adequately sanitize or encode untrusted input.
所需技能
所需资源
- None: No specialized resources are required to execute this type of attack.
后果影响
影响范围: Confidentiality
技术影响: Read Data
说明: A successful Reflected XSS attack can enable an adversary to exfiltrate sensitive information from the application.
影响范围: Confidentiality Authorization Access Control
技术影响: Gain Privileges
说明: A successful Reflected XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Commands
说明: A successful Reflected attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.
影响范围: Integrity
技术影响: Modify Data
说明: A successful Reflected attack can allow an adversary to tamper with application data.
缓解措施
Use browser technologies that do not allow client-side scripting.
Utilize strict type, character, and encoding enforcement.
Ensure that all user-supplied input is validated before use.