Reflected Cross-Site Scripting (XSS)

Description

Reflected Cross-Site Scripting (XSS) occurs when an attacker injects malicious code into a vulnerable field or parameter, and that code is immediately included in the subsequent response without being stored on the server. Unlike stored XSS, which persists in the application's database or file system, reflected XSS is transient. The malicious payload is typically part of a crafted URL or form submission that a victim must click or visit.

Because the injected script executes in the context of the victim's browser, it can steal session cookies, hijack accounts, or perform actions on behalf of the victim. Reflected XSS heavily relies on social engineering: attackers must entice or trick users into clicking a specially crafted link or submitting malicious data.

Examples

Malicious Query Parameter

An application includes user-submitted input directly into the response. For instance, a search form:

https://example.com/search?q=someinput

If the server-side code incorporates someinput into the HTML page without proper escaping, an attacker can craft a URL with a malicious script:

https://example.com/search?q=<script>alert('XSS')</script>

When a victim clicks this link, the browser executes the script in the page context.

Form Fields in GET/POST Requests

If a web form takes user data from a POST request and displays it on the page (e.g., an error message or confirmation) without sanitization, an attacker can submit a malicious payload:

<script>alert('Reflected XSS');</script>

The response then reflects this script, causing the browser to run it whenever the victim views the result page.

Remediation

  1. Validate and Sanitize User Input
    • Filter out or neutralize dangerous characters or HTML tags.
    • Use well-maintained libraries or frameworks that handle HTML sanitization and escaping for your language of choice.
  2. Encode Output Correctly
    • Escape all dynamic content when rendering in HTML, JavaScript, or other contexts.
    • For instance, use HTML encoding for data placed in HTML text nodes, and JavaScript encoding for data placed in scripts.
  3. Implement a Content Security Policy (CSP)
    • Configure script-src, object-src, and other directives to restrict script execution.
    • This adds a strong layer of defense if an XSS vector is discovered.
  4. Use Server-Side Security Libraries and Frameworks
    • If your framework supports auto-escaping or context-sensitive encoding, enable it by default.
    • Avoid crafting raw HTML strings by concatenating user input; instead, use templating systems that are XSS-aware.