This repository tracks real-world incidents where reflected XSS was exploited. PR's welcome!
Reflected XSS is among the most prevalent vulnerability classes discovered during web application security testing (penetration testing, code analysis, etc.), but despite it prevalence, expolitaion of such vulnerabilities in real-world incidents seem to be rare. The goal of this repo is to support risk assessment by aggregating empirical data about incidents.
We don't track:
- Stored XSS casued by server-side or frontend code.
While the primary focus is specifically on web applications, vulnerabilities affecting applications based on Electron and similar technologies can also provide interesting data points, so they will be tracked separately.
Combining a cross-site scripting (XSS) vulnerability with a TinyURL redirect, hackers successfully broke into the infrastructure for the open-source Apache Foundation in what is being described as a "direct, targeted attack."
Reference: https://www.zdnet.com/article/apache-org-hit-by-targeted-xss-attack-passwords-compromised/ (archived)
This may be CVE-2010-1164 (only Jira XSS from 2010).
Analysis of the emails from these spear phishing campaigns led to a discovery: the attacker was attempting to exploit a zero-day cross-site scripting (XSS) vulnerability in the Zimbra email platform.
Reference: https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/ (archived)
This is CVE-2022-24682. Note that this XSS being reflected is not explicitly stated, but the unauthenticated nature of the exploit and the fact that the advisory was not titled as "Stored XSS" in the official advisory (like in other cases) points to this direction.
TAG first discovered the 0-day, a reflected cross-site scripting (XSS) vulnerability, in June when it was actively exploited in targeted attacks against Zimbra’s email server.
Reference: https://blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/ (archived)
This is CVE-2023-37580.
The list is suspiciously short (given the time we have known about XSS) suggesting that this attack is not preferred by attackers. To understand under what circumstances these vulnerabilities are exploited it's worth to identify common parameters of known incidents:
- Public facing application: The presence of the vulnerable implementation/configuration is trivially discoverable by attackers.
- Well-known software: The attackers can test the target software independently from the true target environment to develop reliable exploits.
- Useful information: The data accessible through the vulnerability (inside the affected web application) is immediately useful for the attacker, there is no pivoting.
Note, that the above factors can also distort the sample (e.g. exploits of internal/custom systems may not be newsworthy)!
TODO