An application enables users to control the Document Object Model (DOM) environment. A threat actor can exploit this feature by injecting a malicious payload into a trusted web application. When users interact with this malicious payload, their browsers execute it. This vulnerability is reflected in the HTTP request or response and occurs on the client side.

Clone this current repo recursively

git clone --recursive https://github.com/qeeqbox/reflected-cross-site-scripting

Run the webapp using Python

python3 reflected-cross-site-scripting/vulnerable-web-app/webapp.py

Open the webapp in your browser 127.0.0.1:5142

Open the network tab from the developer tools to examine the requests and responses

If you type the URL + test, it will take you to the test resourse (page), it does not exist but the test keyword gets embedded in the page

A threat actor could embed a malicious payload and send it to a victim using social engineering attacks. If the victim falls for it, their browser will send the request to the webapp

Then, the browser will execute a malicious payload

Code

This logic will check if the requested page has a route or exists, if it does not, then it will pass the requested page value to the msg_page() function

def do_GET(self):
    ...
    self.send_content(404, [('Content-type', 'text/html')], self.msg_page(f"Error: The requested URL {urllib_parse.unquote(parsed_url.path)} was not found".encode("utf-8")))
    ...

The msg_page() function will embed the user value in the webpage

def msg_page(self, msg, prev=None):
    with open(path.join(TEMPLATE_FOLDER,"msg.html"),"rb") as fi:
        if prev:
            return fi.read().replace(b"{{msg-result}}",msg).replace(b"{{msg-prev}}",prev).replace(b"{{msg-page}}",b"Return")
        else:
            return fi.read().replace(b"{{msg-result}}",msg).replace(b"{{msg-prev}}",b"/").replace(b"{{msg-page}}",b"Home")

Impact

Vary

Risk

• Session Hijacking
• Credential Theft

Redemption

• Server input validation

ID

cb251c97-067d-4f13-8195-4f918273f41b