3

What is the relationship between HTTP response codes and successful execution of XSS attacks? For e.g I am using a commercial vulnerability scanner that reports XSS vulnerability found in a certain web page. It further describes the attack by showing Request and response after XSS was injected. The response codes it gives are 0, Http 200 OK, Http 400 Bad, 403 Forbidden etc. If the developer asks what is wrong with 400 Bad or 200 ok, how a security analyst can prove XSS was executed? So is there a way to tell whether XSS was successful or failed by looking at response codes like 200 OK?

Puja
  • 79
  • 2

1 Answers1

9

TL;DR: Successful execution of XSS is unrelated to the response code.

XSS is the execution of attacker injected code at the client side. The HTTP response which includes the response code is created at the server side. The server is not aware that the served content contains any problems (if the server would know this it would not serve it) and thus cannot set the response code based on XSS or not.

In other words: XSS can happen with code 200, 403, ... but just from looking at these codes you don't know if XSS was successful or not.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Agree, but as a side note, it's not uncommon that WAFs make the application return a 403 when detecting an XSS attempt (e.g. when seeing angle brackets in the URL). So in some scenarios the return code may give the attacker an idea whether an XSS attempt has been blocked. – Arminius May 09 '18 at 20:10
  • Generally I think you're correct. But I wouldn't say there's no relationship, just a weak one. If you get back a 403, forbidden, it's an indicator the attack didn't work. Obviously it's possible it DID work, and the response code meant nothing. But you're of course correct that it doesn't really prove much of anything. – Steve Sether May 09 '18 at 20:21
  • Thanks everyone! makes much more sense now. If a Buffer Overflow returns 403, does it mean it was not a buffer overflow and input was rejected? – Puja May 09 '18 at 20:28
  • @Puja It might. It also might mean nothing. Modern computing infra-structure is complex. The 403 might come from a frontend webserver, and you overflowed something further down the pipe. Steven's point is more that response codes don't really mean a whole for a vulnerability. That's what I mean by a weak relationship. – Steve Sether May 09 '18 at 21:33