Delivery Mechanisms for XSS Attacks

Having identified an XSS vulnerability and formulated a suitable payload to

exploit it, an attacker needs to find some means of delivering the attack to

other users of the application. We have already discussed several ways in

which this can be done. In fact, there are many other delivery mechanisms

available to an attacker.

In addition to the obvious phishing vector of bulk emailing a crafted URL to

random users, an attacker may attempt to deliver a reflected or DOM-based

XSS attack via the following mechanisms:

■■

In a targeted attack, a forged email may be sent to a single target user,

could be sent an email apparently originating from a known user, com-

plaining that a specific URL is causing an error. When an attacker wants

to compromise the session of a specific user (rather than harvest those

of random users) a well-informed and convincing targeted attack is

often the most effective delivery mechanism.

■■

A URL can be fed to a target user in an instant message.

Content and code on third-party web sites can be used to generate

requests that trigger XSS flaws. For example, 

wahh-innocuous.com

might contain interesting content as an inducement for users to visit,

but it may also contain scripts that cause the user’s browser to make

requests containing XSS payloads to a vulnerable application. If a user

is logged in to the vulnerable application, and happens to browse 

wahh-

innocuous.com

will be compromised.

Having created a suitable web site, an attacker may use search engine

manipulation techniques to generate visits from suitable users — for