Reflected Cross Site Scripting

OWASP 2013-A3 OWASP 2017-A7 OWASP 2021-A3 PCI v3.2-6.5.7 OWASP PC-C4 CAPEC-591 CWE-79 HIPAA-164.308(a) ISO27001-A.14.2.5 WASC-08 WSTG-INPV-01

There are web applications that are vulnerable to Reflected cross-site scripting because these applications allow remote attackers to inject browser executable code within a single HTTP response. These applications fail to properly process the codes when the attacker uses the executable code as part of his custom URI or HTTP parameters.

A web application is vulnerable to reflected cross-site scripting attack when the application passes unvalidated input from the clients/end-users. In this attack, an attacker creates and tests a malicious URI and initiates a social engineering step, in which the attacker convinces his victims to execute the malicious URI on their browsers. This step by the user allows the execution of the malicious code on their browser. Usually, an attacker uses Javascript for performing this attack, but other scripting languages are also used. e.g., ActionScript and VBScript. An attacker leverages this vulnerability to install keyloggers and steal victim cookies, perform clipboard theft, change the content of the page and so on.

One of the main difficulty in preventing XSS is to implement proper character encoding. In some cases, the web application could not be filtering some encodings of characters. Consider the example where the web application might filter < script > tag, but might not filter %3cscript%3e. This text represents another encoding of tags.


Consider that the above page redirects to a page that has a welcome notice as “Welcome %username%” along with a download link.

The attacker will analyse the link and try to exploit XSS using user variable in hopes of triggering the vulnerability.<script>alert(123)</script>


A successful execution of the above URL indicates that the site is vulnerable to XSS vulnerability. The above link allows an attacker can execute any script.


An attacker can perform attacks like:-

  • Account hijacking: An attacker can gain access to an end-user account.
  • Credential theft: An attacker can steal the credentials of users to access their account.
  • Data leakage: Using the credentials, the attacker can steal sensitive information about the user.
  • An attacker can fake itself as the host application to the end users and redirect them to the malicious application.
  • The other attacks include key-logger attack, website defacement and port scan.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Ensuring that the inputs are properly validated.
  • Encoding all input fields.
  • Ensuring all cookie properties are properly set.

Latest Articles