3

From CVSS v2 complete guide :

"SCORING TIP #2: When scoring a vulnerability, consider the direct impact to the target host only. For example, consider a cross-site scripting vulnerability: the impact to a user's system could be much greater than the impact to the target host. However, this is an indirect impact. Cross-site scripting vulnerabilities should be scored with no impact to confidentiality or availability, and partial impact to integrity."

I know cross-site scripting is divided into 3 main types: reflected XSS, stored XSS and DOM-based XSS.
However, why is XSS scored with PARTIAL impact to integrity instead of NO impact to integrity? If an XSS vulnerability is a reflected XSS, can the XSS be scored with no impact to integrity?

tim
  • 29,018
  • 7
  • 95
  • 119
Matt Elson
  • 269
  • 1
  • 3
  • 7

2 Answers2

3

Example for impact on integrity: Say, there is a profile update page which has CSRF token implemented , but reflected XSS is also present. Now you can steal this token with the help of XSS and you can cause unwanted changes in the profile of the victim. Here is the article for your reference.

Many of the XSS vulnerabilities were marked with PARTIAL impact because in CVSS v2, only target host should be considered for calculating the impact. XSS is a vulnerability which affects the browser of the victim also and cause more damage to the victim's machine.

This is improved upon in CVSS version 3 which states:

Whether a successfully exploited vulnerability affects one or more components, the impact metrics are scored according to the component that suffers the worst outcome that is most directly and predictably associated with a successful attack.

one
  • 1,781
  • 3
  • 18
  • 45
0

If an XSS vulnerability is a reflected XSS, can the XSS be scored with no impact to integrity?

No, the type of the XSS vulnerability doesn't affect the impact metrics at all.

It doesn't matter if an XSS vulnerability is reflected, stored, or DOM-based, or if it requires user interaction, or if an account is required, or ... Those factors are caught by the access complexity and authentication metrics.

The impact on the other hand is always the same. It doesn't matter how the payload is delivered, once attacker-controlled JavaScript is running in the victims browser, what can be done is the same.

why is XSS scored with PARTIAL impact to integrity instead of NO impact to integrity?

When evaluating the impact, only the impact on the host is to be considered:

SCORING TIP #2: When scoring a vulnerability, consider the direct impact to the target host only. For example, consider a cross-site scripting vulnerability: the impact to a user's system could be much greater than the impact to the target host. However, this is an indirect impact. Cross-site scripting vulnerabilities should be scored with no impact to confidentiality or availability, and partial impact to integrity CVSSv2 spec

I can think of two options for the integrity score:

  • With XSS, an attacker changes what data a host sends to its user, which is a direct impact on the integrity of the host. An attacker can alter the data, and thus perform various attacks, such as displaying a login form for phishing attacks (an indirect impact on confidentiality which isn't considered in CVSSv2), read out client-side data (like cookies, which again isn't considered as a direct confidentiality impact), etc.
  • As @one suggested, an attacker could modify data in a web-application by bypassing CSRF protection, which would have a partial - but obviously not complete - impact on the host. I find this explanation less likely, as it would also imply that there should be an impact on availability (at least for some applications), and may also somewhat imply a confidentiality impact (see my question about that here).
tim
  • 29,018
  • 7
  • 95
  • 119