Severity: Medium to Critical
Reflected XSS (Cross-Site Scripting) occurs when user input is inadequately validated or sanitized prior to being inserted into a page.
With reflected XSS, if an attacker can get a victim to go to a specific URL (e.g.
For example, you may see the following:
This vulnerable website does not escape nor validate the input and it is simply placed inside a link:
Now if one submits the following we are prompted with an alert box display the value
A great way to determine in what context the XSS payload is executing is to use
alert(document.domain). The reason why one might want to do this, is to ensure that the injection endpoint is not located on a sandboxed domain.
User input should always be encoded prior to output. If the user input is being inserted into a script tag, it must be in string form and be string escaped, as well as ensuring that
> are not included directly. If the user input is going elsewhere on a page, it must be HTML entity encoded.