Control Strategy SuspendServiceVulnerableToXSS.Implementation

URI: CSG-SuspendServiceVulnerableToXSS-Implementation-Runtime

Package: Network

< prev | next >

Description: Process Service has been disabled by the manager of its host HostManager to prevent it being exploited in a cross-site scripting attack. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing device SHost where Service is running. The Disabled Process control should be deselected only when the process has been restarted.

        (empty)

CSG-SuspendServiceVulnerableToXSS-Implementation-Runtime
CC.AuC.DFrXSS.3

Reflected XSS exploit on Client via Service injected via client input Data from FlowsFrom: an attacker who can inject malicious content into input Data flowing to Client from FlowsFrom can exploit a bug in Service to send a harmful script to the client browser. We assume this will make the browser leak authentication credentials, such as a password or session key.
CSG-SuspendServiceVulnerableToXSS-Implementation-Runtime
CC.AuC.DFsXSS.3

Stored XSS exploit against Client by Service injected via input Data from FlowsFrom: an attacker who can inject malicious content into input Data flowing to Service from FlowsFrom can exploit a bug in Service, and send a harmful script to a trusting client browser Client. We assume this will make the browser leak authentication credentials, such as a password or session key.
CSG-SuspendServiceVulnerableToXSS-Implementation-Runtime
CC.AuC.DSrXSS.3

Reflected XSS exploit on Client from Service injected via locally stored client input Data: an attacker who can inject malicious content into locally stored input Data used by Client can exploit a bug in Service and send a harmful script to the client browser. We assume this will make the browser leak authentication credentials, such as a password or session key.
CSG-SuspendServiceVulnerableToXSS-Implementation-Runtime
CC.AuC.DSsXSS.3

Stored XSS exploit from Service against Client: an attacker who can inject malicious content into service input Data stored on SHost can exploit a bug in Service, and send a harmful script to a trusting client browser Client. We assume this will make the browser leak authentication credentials, such as a password or session key.

        (empty)