Reflected XSS

Reflected Cross-Site Scripting (XSS) is a vulnerability where user-supplied input is immediately returned by the web application in an error message, search result, or other response without proper encoding or sanitization. The malicious script is "reflected" off the server and executed in the victim's browser.

How It Works

An attacker crafts a malicious URL containing JavaScript code as a parameter. When a victim clicks the link, the server includes the unescaped input in the response, causing the browser to execute the attacker's script in the context of the vulnerable site.

Example

A vulnerable search page that displays the search term:

GET /search?q=<script>alert(document.cookie)</script>

Response:
<p>Results for: <script>alert(document.cookie)</script></p>

Prevention

• Always encode output based on context (HTML, JavaScript, URL, CSS)
• Use Content Security Policy (CSP) headers
• Implement input validation with allowlists
• Use frameworks that auto-escape output by default

PentesterLab Exercises

• XSS and MySQL FILE
• Web For Pentester

See Also

• Stored XSS
• DOM-based XSS
• Content Security Policy (CSP)