Scala : Reflected XSS

A Reflected Cross-Site Scripting (reflected XSS) attack or client-side XSS attack is possible.

Cross-site scripting is one of the most common types of attacks on web applications. XSS attacks rank seventh on the OWASP Top 10 2017 list of the ten most significant vulnerabilities in web applications.

The main step in any XSS attack is the execution of the malicious code, unnoticed by the victim, in the context of a vulnerable application. This is done by using the functionality of the client application (browser), which allows the automatic execution of scripts embedded in the code of a web page. Most often, such malicious scripts are implemented in JavaScript.

The consequences of XSS can vary from breaking application functionality to complete loss of privacy of user data. Malicious code in an XSS attack can steal a user’s HTTP-cookie, giving the attacker the ability to make requests to the server on behalf of the user.

OWASP offers the following classification of XSS attacks:

• Server-type XSS occurs when data from an untrusted source is included in the response returned by the server. The source of this data can be either user input or the server database (where it was injected in advance by an attacker who exploited vulnerabilities in the server side of the application).
• Client-type XSS occurs when unvalidated data from user input contains code that modifies the Document Object Model (DOM) of a web page received from a server. The source of such data can be both DOM and data received from the server (for example, in response to an AJAX request).

A typical server-type attack scenario:

1. Unchecked data, usually from an HTTP request, gets into the server part of the application.
2. The server dynamically spawns a web page containing unverified data.
3. While generating the web page, the server does not prevent its code from including executable code that can be executed in the client application (browser), such as JavaScript code, HTML tags, HTML attributes, Flash, ActiveX, etc.
4. The victim’s client application displays a web page containing malicious code injected with data from an unverified source.
5. Since the malicious code is injected into the web page emanating from a known server, the client part of the application (browser) executes it with the rights set for the application.
6. This violates the same-origin policy, which states that code from one source should not access resources from another source.

Client-side attacks follow a similar pattern, with the difference being that the malicious code is injected at the stage when the client application is working with the object model of the document received from the server.