โšก Reflected XSS

Learn how attackers exploit dynamic inputs to inject scripts โ€” and how to stop them

What is Reflected XSS?

Reflected Cross-Site Scripting (XSS) is a client-side injection vulnerability that occurs when user-supplied data is immediately included in the response from a web server, without proper sanitization or encoding. The attack payload is typically embedded in a URL and reflected back in the server's response, often in error messages, search results, or login pages.

๐ŸŽฏ Key Concepts

  • Trigger Point: Occurs when data is reflected from the request to the response.
  • No Persistence: Unlike stored XSS, the payload is not saved โ€” it's delivered via a crafted link.
  • Execution: Relies on tricking a user into clicking the malicious URL.
  • Impact: Can lead to session hijacking, credential theft, defacement, or redirection.

๐Ÿงช Step-by-Step Exploitation

Step 1: Identify a Reflection Point

Test parameters in the URL, such as ?q=, ?search=, ?message=. Use harmless input first:

https://example.com/search?q=test

Step 2: Inject a Script Payload

If the input is echoed back unsanitized, try injecting:

https://example.com/search?q=<script>alert('XSS')</script>

Step 3: Observe Execution

If the JavaScript executes (e.g. an alert box pops up), the site is vulnerable to reflected XSS.

๐ŸŒ Real-World Example

Target: https://vulnerable-site.com/login?error=

Testing payload:

https://vulnerable-site.com/login?error=<script>alert('XSS')</script>

If the error message displays the unsanitized input:

Login failed: <script>alert('XSS')</script>

Then the browser will execute the script, confirming the vulnerability.

๐Ÿ’ก Practical Tips for Pentesters

๐Ÿ›ก๏ธ Mitigation Techniques

๐Ÿ“š Tools & Resources