AXIONSECURITY

XSS

Reflected XSS

Reflected Cross-Site Scripting (XSS)

Reflected XSS is a common web vulnerability that occurs when malicious scripts are reflected off a web server and executed in the user's browser. This type of XSS attack can lead to severe consequences, including session hijacking, defacement, and data theft.

How Reflected XSS Works

  1. Injection: An attacker injects a malicious payload into a request (URL, form input, etc.).
  2. Reflection: The vulnerable web application reflects the payload back to the user's browser in the HTTP response.
  3. Execution: The browser executes the script, allowing the attacker to perform actions on behalf of the user or steal sensitive information.

Imagine a search feature on a website that directly reflects the user input back to the page.

<form action="/search" method="GET"> <input type="text" name="q" /> <input type="submit" value="Search" /> </form>

If the search query is directly reflected, the following URL can exploit the vulnerability:

http://example.com/search?q=<script>alert('XSS')</script>

Performing these attacks on systems without permission is illegal. Always obtain proper authorization before testing for vulnerabilities.

Advanced Techniques

Use these techniques responsibly and ethically, ensuring you have permission to test the security of a web application.

Previous

Union-Based

Next

Stored XSS

On this page