Second case – Reflected XSS

The tester was able to inject JavaScript into the URL parameter, and the browser executed the script:

AV:N: The hacker will connect through a network to execute the attack.
AC:L: The complexity is very low; the hacker tested the JavaScript on all browsers, and it worked.
PR:N: No privilege is required.
UI:N: The victim needs to click on a link through a social engineering attack.
S:C: The scope is not the web server only; the victim browser is impacted, as well.
C:L: Since the HttpOnly flag is set, the confidentiality impact is low, because the attacker has not accessed sufficient cookie data to hijack the victim's session.
I:L: The hacker can probably change the data only in the victim's browser context.
A:N: The hacker will not be able to impact the availability of the server.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

18.190.219.65

Table of Contents for Second case&#xA0;&#x2013; Reflected XSS