Control Strategy SuspendServiceVulnerableToXSS

URI: CSG-SuspendServiceVulnerableToXSS

Package: Network

< prev | next >

Description: Service Service may be temporarily disabled by the manager of its host HostManager to prevent a known vulnerability being exploited in a cross-site scripting attack. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

        (empty)

CSG-SuspendServiceVulnerableToXSS
CC.AuC.DFrXSS.3

Reflected XSS exploit on Client via Service injected via client input Data from FlowsFrom: an attacker who can inject malicious content into input Data flowing to Client from FlowsFrom can exploit a bug in Service to send a harmful script to the client browser. We assume this will make the browser leak authentication credentials, such as a password or session key.
CSG-SuspendServiceVulnerableToXSS
CC.AuC.DFsXSS.3

Stored XSS exploit against Client by Service injected via input Data from FlowsFrom: an attacker who can inject malicious content into input Data flowing to Service from FlowsFrom can exploit a bug in Service, and send a harmful script to a trusting client browser Client. We assume this will make the browser leak authentication credentials, such as a password or session key.
CSG-SuspendServiceVulnerableToXSS
CC.AuC.DSrXSS.3

Reflected XSS exploit on Client from Service injected via locally stored client input Data: an attacker who can inject malicious content into locally stored input Data used by Client can exploit a bug in Service and send a harmful script to the client browser. We assume this will make the browser leak authentication credentials, such as a password or session key.
CSG-SuspendServiceVulnerableToXSS
CC.AuC.DSsXSS.3

Stored XSS exploit from Service against Client: an attacker who can inject malicious content into service input Data stored on SHost can exploit a bug in Service, and send a harmful script to a trusting client browser Client. We assume this will make the browser leak authentication credentials, such as a password or session key.

        (empty)