Unclear security impact of a Reflected XSS vulnerability



  • What is the security impact of a Reflected XSS vulnerability on a state website involved in financial relations? There are no user profiles on this page and it serves as an information board and a place to download project applications.



  • ... no user profiles on this page

    XSS (including reflected XSS) can basically do everything inside the site what the user with a browser can do. If there are no user profiles it can at least not impersonate any users. Note though that if there are users on the same domain or subdomain, then XSS might use existing session cookies to impersonate the logged in user and do actions in the name of the user, no matter if these specific actions are actually included in the specific page vulnerable to reflected XSS.

    ... serves as an information board and a place to download project applications

    XSS might also completely change the appearance of the site. And it can also change things which are not obvious, like changing the values in the shown financial information or make the download links point to malicious downloads instead. Note that these changes are only temporary in the rendered page, i.e. no server side changes are done. But if there is a way to edit such information it might be done using XSS too.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2