XSS (Reflected)

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Attacker

XSS Damages:

• Perform any action within the application that the user can perform.
• View any information that the user is able to view.
• Modify any information that the user is able to modify.
• Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

How to find:

• Test every entry point
• Test a candidate payload
• Test alternative payloads
• Test the attack in a browser

Typical XSS Payload

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

Resources

1. Cross-site Scripting
2. XSS Cheatsheet
3. XSS Payload List
4. XSStrike

Reference

• Reflected XSS
• Amazing XSS Payload