Reflected Cross Site Scripting (RXSS)

Medium

Description

'Reflection' is when a web application returns the data entered by a user via request into the web application response. 'Reflected Cross-Site Scripting' or 'RXSS' is a type of 'Browser Side Attacks or Client Side Attacks' attack where an attacker abuse the reflection and inexistence of input sanitization to inject JavaScript code into victim's responses to take control of their browsers, execute malicious code to steal session cookies, or even redirect them to other pages. Any reflected parameter of an application is suspected to be vulnerable but the most severe parameters are 'GET' parameters where an attacker can simply use the nature of 'GET' parameters where is being sent inside the URL to reflect malicious code into the victim responses. If the reflection happens via 'POST' parameter or what is sometimes referred to as 'Self Cross-Site Scripting' or 'SXSS' an attacker may not be able to exploit the reflection scenario unless there's no 'CSRF' protection. Sometimes an attacker may not be able to injection JavaScript Code, hence an attacker may try to inject another type of code such as HTML which is known as 'HTML Injection' to trick users into performing actions, or CSS code which is known as 'CSS Injection'

Attack Scenario

An attacker can inject JavaScript, HTML, CSS code into victims' responses to take control of their browsers, execute malicious code to steal session cookies, or even redirect them to other pages.

Mitigation

Never put untrusted data into your HTML input, unless you follow the rest of the steps below. Untrusted data is any data that may be controlled by an attacker, HTML form inputs, query strings, HTTP headers, even data sourced from a database as an attacker may be able to breach your database even if they cannot breach your application.

Before putting untrusted data inside an HTML element ensure it's HTML encoded. HTML encoding takes characters such as < and changes them into a safe form like <

Before putting untrusted data into an HTML attribute ensure it's HTML encoded. HTML attribute encoding is a superset of HTML encoding and encodes additional characters such as " and '.

Before putting untrusted data into JavaScript place the data in an HTML element whose contents you retrieve at runtime. If this isn't possible, then ensure the data is JavaScript encoded. JavaScript encoding takes dangerous characters for JavaScript and replaces them with their hex, for example, < would be encoded as \u003C.

Before putting untrusted data into a URL query string ensure its URL is encoded.

ID: 20002