Skip to content
/ dom-based-cross-site-scripting Public

A threat actor may inject malicious content into HTTP requests. The content is not reflected in the HTTP response and executed in the victim's browser.

License

AGPL-3.0 license
3 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

qeeqbox/dom-based-cross-site-scripting

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

dom-based-cross-site-scripting.drawio

dom-based-cross-site-scripting.drawio

 
 

dom-based-cross-site-scripting.png

dom-based-cross-site-scripting.png

 
 

Repository files navigation

A threat actor may inject malicious content into HTTP requests. The content is not reflected in the HTTP response and executed in the victim's browser.

Example #1

  1. Threat actor crafts an email with a malicious request to a vulnerable target and sends the email to a victim
  2. The victim clicks on the email and sends the request to the vulnerable target
  3. The target sends the malicious code back to the victim
  4. The victim's browser inserts the malicious code
  5. When malicious code gets executed, it calls back the threat actor

Impact

Vary

Risk

  • Read & modify data

Redemption

  • Client input validation
  • Output encoding
  • Browser built-in XSS preveiton

ID

cb251c97-067d-4f13-8195-4f918273f41b

References

About

A threat actor may inject malicious content into HTTP requests. The content is not reflected in the HTTP response and executed in the victim's browser.

Topics

metadata dom example scripting site xss vulnerability xss-vulnerability cross qeeqbox infosecsimplified

Resources

Readme

License

AGPL-3.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Sponsor this project

 
Learn more about GitHub Sponsors