Reflected cross-site scripting (XSS) is a type of attack where an attacker sends a payload to a target in the form of a URL. The user clicks on it and opens a vulnerable web application, executing the payload.
Example of a reflected XSS attack
Warning: This information is provided for the purpose of educating security professionals about the risks and specifics of such attacks and is in no way intended to encourage illegal actions.
In this example, the developer wants to display the name of the currently authenticated user on the welcome screen (welcome.php). They add the following login form to the login.php web page:
<form action="/welcome.php" method="get" id="login">
<label for="name">Your name:</label>
<input type="text" id="name" name="name">
<label for "password">Your password:</label>
<input type="password" id="password" name="password">
<button type="submit" form="login" value="login">Log in</button>
</form>The program sends the name and password using the GET method and then displays the name on the welcome.php page without any validation or sanitization.
The attacker creates the following URL:
http://www.example.com/welcome.php?name=
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28
%22%4c%45%41%56%45%20%54%48%49%53%20%50%41
%47%45%21%20%59%4f%55%20%41%52%45%20%42%45
%49%4e%47%20%48%41%43%4b%45%44%21%22%29%3b
%3c%2f%73%63%72%69%70%74%3eThis is an encoded form of the following content:
<script>alert("LEAVE THIS PAGE! YOU ARE BEING HACKED!");</script>The attacker then sends the URL, for example, in an email or message. The target clicks on it, opens the welcome.php page, and their browser interprets the following code:
<strong>Hello, <script>alert("LEAVE THIS PAGE! YOU ARE BEING HACKED!");</script>!</strong>The browser finds the <script> tag and executes the JavaScript code inside it. This results in a pop-up window that prompts the user to leave the page.
Fixing Reflected XSS
HTMLPurifier filtering can be used to protect the code and, additionally, escape HTML characters. To do this, it is needed to import the HTMLPurifier library and modify the welcome.php file as follows:
// Display the name of the user
// Use HTMLPurifier with HTML escaping to avoid XSS
$name=$_GET["name"];
// Purify user data using HTMLPurifier
(...)
$purifier = new HTMLPurifier($config);
$purified_name = $purifier->purify($name);
// Just to be sure, HTML-escape special characters
$safe_name = htmlspecialchars($purified_name, ENT_QUOTES);
// Display the safe name
echo "<strong>Hello, ".$safe_name."!</strong>";
(...)Impacts of Reflected XSS
Reflected cross-site scripting is considered less dangerous than stored/persistent XSS, but the consequences can still be dire.
A reflected XSS attack is more difficult to execute because it requires more than just creating and sending a single payload. The attacker also needs to use social engineering techniques to target a specific user.
Here are some of the actions a malicious hacker might take:
- They could create a phishing campaign and send thousands of emails containing a malicious link with a payload that redirects users to a phishing page designed to mimic a web application. As a result, a large number of users could have their credentials stolen.
- Malicious hackers could create a payload that redirects the user to a page that mimics a login to a web application. They would then send this malicious URL to internal users, even the CEO. If even one of them falls for this trick, the attacker would have their credentials to escalate the attack. Ultimately, this could allow them to gain access to other computer systems in the organization.
Useful articles on preventing XSS
- Preventing XSS in applications based on Java
- Preventing XSS in web applications based on React
- A guide to XSS in Angular: examples and prevention
How to detect reflected XSS?
The following methods can be used for this:
- DAST – safe imitation of hacker actions to detect vulnerabilities.
- SAST – search for security issues in code, such as errors in text.
They complement each other, making it possible to scan websites from the early stages of development to production.
Examples of tools:
- Invicti DAST (formerly Acunetix and Netsparker)
- Mend SAST
They combine two mature solutions with seamless integration to centralize vulnerabilities in a single console.
If you would like to test these solutions for free, please leave your contact details below, and we will get back to you:
