Survey the application: Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds.
Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.
Attempt injection payload variations on input parameters: Possibly using an automated tool, an attacker requests variations on the inputs he surveyed before. He sends parameters that include variations of payloads. He records all the responses from the server that include unmodified versions of his script.
Use a list of XSS probe strings using different URI schemes to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier to trace the injected string back to the entry point.
Use a proxy tool to record results of manual input of XSS probes in known URLs.
Steal session IDs, credentials, page content, etc.: As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.
Forceful browsing: When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
Content spoofing: By manipulating the content, the attacker targets the information that the user would like to get from the website
Web applications that take user controlled inputs and reflect them in URI HTML placeholder without a proper validation are at risk for such an attack.
An attacker could inject the previous payload that would be placed in a URI placeholder (for example in the anchor tag HREF attribute):
<a href="INJECTION_POINT">My Link</a>
Once the victim clicks on the link, the browser will decode and execute the content from the payload. This will result on the execution of the cross-site scripting attack.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
To inject the malicious payload in a web page
Ability to send HTTP request to a web application
Solutions and Mitigations
Design: Use browser technologies that do not allow client side scripting.
Design: Utilize strict type, character, and encoding enforcement.
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Ensure all content coming from the client is using the same encoding; if not, the server-side application must canonicalize the data before applying any filtering.
Implementation: Perform input validation for all remote content, including remote and user-generated content
Implementation: Perform output validation for all remote content.
Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.
Modify files or directories
Read files or directories
Modify application data
Read application data
Execute unauthorized code or commands
Run Arbitrary Code
Gain privileges / assume identity
Bypass protection mechanism
Any HTTP Request transport variables (GET, POST, Headers, etc.)
XSS malicious script leveraging URI schemes
Client web browser where script is executed
Payload Activation Impact
Client web browser may be used to steal session data, passwords, cookies, and other tokens.
More information is available — Please select a different filter.
Page Last Updated or Reviewed:
July 31, 2017
Use of the Common Attack Pattern Enumeration and Classification dictionary and classification taxonomy, and the associated references from this website, are subject to the