Cross Site Scripting (Reflected)

Reflected Cross-Site Scripting (XSS) occurs when an application receives data in an HTTP request and includes that data in the immediate response without proper validation or encoding. Unlike stored XSS, the malicious payload is not persisted on the server; instead, it is reflected back from the web server through error messages, search results, or any other response that echoes user-supplied input. When a victim clicks a crafted link or submits a manipulated form, the injected script executes in the victim’s browser within the security context of the vulnerable application.

An attacker can exploit Reflected XSS to steal session tokens and authentication cookies, perform actions on behalf of the authenticated user, or redirect victims to malicious websites. Common exploitation vectors include distributing crafted URLs through phishing emails, social media messages, or embedding them in third-party web pages that automatically submit requests to the vulnerable endpoint. Because the malicious payload is delivered through a trusted domain, browser security policies do not block execution, giving the attacker full access to the page content and the user’s session.

Use context-sensitive output encoding on all user-supplied data before including it in HTML responses. Apply HTML entity encoding for data placed in HTML body content, JavaScript encoding for data inserted into script blocks, and URL encoding for data used in URL parameters. The OWASP ESAPI library, Microsoft Anti-XSS library, and Apache Wicket provide vetted encoding functions for these contexts.

Validate all input on the server side using an allow-list approach that only accepts values conforming to expected patterns. Do not rely on client-side validation or deny-list filtering alone, as attackers can bypass both techniques.

Deploy a strict Content-Security-Policy (CSP) header that disables inline scripts and restricts script sources to trusted origins. This provides defense-in-depth even if an encoding flaw is introduced.

Set the HttpOnly flag on session cookies to prevent client-side scripts from accessing them through document.cookie. Additionally, specify a character encoding such as UTF-8 on every response to prevent encoding-based bypass attacks.