A threat actor may inject malicious content into HTTP requests. The content will be reflected in the HTTP response and executed in the victim's browser.
- Threat actor crafts an email with a malicious request to a vulnerable target and sends the email to Bob
- Bob clicks on the email and sends the request to the vulnerable target
- The target includes the malicious code as part of the response and sends it back to Bob
- Bob's browser executes the malicious code that calls back the threat actor
Vary
- Read & modify data
- Server input validation
- Output encoding
- Browser built-in XSS preveiton
cb251c97-067d-4f13-8195-4f918273f41b