CAPEC-591

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Stable MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: High Severity: Very High
Reflected XSS

Description

This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is "reflected" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application.

Prerequisites

An application that leverages a client-side web browser with scripting enabled.

An application that fail to adequately sanitize or encode untrusted input.

Mitigations

Use browser technologies that do not allow client-side scripting.

Utilize strict type, character, and encoding enforcement.

Ensure that all user-supplied input is validated before use.

Skills Required

[Medium] Requires the ability to write malicious scripts and embed them into HTTP requests.