Skip to content

A threat actor may inject malicious content into HTTP requests. The content will be reflected in the HTTP response and executed in the victim's browser

License

Notifications You must be signed in to change notification settings

qeeqbox/reflected-cross-site-scripting

Repository files navigation

A threat actor may inject malicious content into HTTP requests. The content will be reflected in the HTTP response and executed in the victim's browser.

Example #1

  1. Threat actor crafts an email with a malicious request to a vulnerable target and sends the email to Bob
  2. Bob clicks on the email and sends the request to the vulnerable target
  3. The target includes the malicious code as part of the response and sends it back to Bob
  4. Bob's browser executes the malicious code that calls back the threat actor

Impact

Vary

Risk

  • Read & modify data

Redemption

  • Server input validation
  • Output encoding
  • Browser built-in XSS preveiton

ID

cb251c97-067d-4f13-8195-4f918273f41b

References

About

A threat actor may inject malicious content into HTTP requests. The content will be reflected in the HTTP response and executed in the victim's browser

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Sponsor this project