CAPEC-591
Description
This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is "reflected" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application.
Prerequisites
An application that leverages a client-side web browser with scripting enabled.
An application that fail to adequately sanitize or encode untrusted input.
Mitigations
Use browser technologies that do not allow client-side scripting.
Utilize strict type, character, and encoding enforcement.
Ensure that all user-supplied input is validated before use.
Skills Required
[Medium] Requires the ability to write malicious scripts and embed them into HTTP requests.