AnsweredAssumed Answered

150001Reflected Cross-Site Scripting (XSS) Vulnerability

Question asked by mgltacoma on Feb 2, 2015
Latest reply on Feb 4, 2015 by WillB

I am little confused about this particular reflected xss vulnerability. I read here Testing for Reflected Cross site scripting (OTG-INPVAL-001) - OWASP

The article here explians it as "Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. The injected attack is not stored within the application itself; it is non-persistent and only impacts users who open a maliciously crafted link or third-party web page. The attack string is included as part of the crafted URI or HTTP parameters, improperly processed by the application, and returned to the victim."

My question is how can an attacker make victim to execute malicious code when the payload is in the request body, not in the URI?

For example if I have website and after person logs in to his account.

Let us say Qualys reported that payload was like this

POST https://reflectedxss123.net/update-my-info (this website does not exist btw)

PayLoad: _RequestTokenBunchOfTokenCharactersGoesHere&Name=John&ZipCode=10101&Address=789 A.st.%20%3Cscript%3E_q_q%3Drandom()%3C%2Fscript%3E&

Response#1: Provided data was invalid attempted value was: 789 A.st<script>_q_q=random()</script>

So from the response I can see that it is returning the script I sent in my payload. The reason being is application is basically rejecting the address field to be updated with that invalid characters and simply returning the invalid value. So how can one craft link with that payload with that script? As far as I understand it, the website does not allow payload in the URI, it only allows it through Request Body. Hopefully you understand my question.

Outcomes