Reflected Cross Site Scripting
Cross Site Scripting (XSS) attacks are a type of injection attack, where scripts are injected into a tusted website application. There are sub categories of XSS attack, which work very differently. Generally, an XSS attack is performed using a browser side script, with the intent to run on a different users session.
The intent of an XSS attack is to steal cookies, session tokens, or other sensitive information and divert this information to somewhere not intended. More information can be found on the OWASP website: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
The three main types of attacks are Reflected, Stored and DOM based. This post is going to talk specifically about Reflected.
Relected XSS
Reflected is performed by constructing a a URL, which will reflect some kind of content back onto the page.
An example of this would be something like a site which searches for a postcode. You end up with a url like:
https://my-website.com/?post-code=SK22Depending on how the website was written, the developer may have reflected query parameters back onto the page, to display in a section such as ‘ You searched for SK22’
If the query string parameter is not encoded correctly, this can lead to passing…
