Reflected Cross site scripting full tutorial

Metasploit Image

— Reflected XSS Vulnerability —

By Wikipedia

Reflected XSS attacks are also known as non-persistent XSS attacks and, since the attack payload is delivered and executed via a single request and response, they are also referred to as first-order or type 1 XSS.

When a web application is vulnerable to this type of attack, it will pass unvalidated input sent through requests back to the client. The common modus operandi of the attack includes a design step, in which the attacker creates and tests an offending URI, a social engineering step, in which she convinces her victims to load this URI on their browsers, and the eventual execution of the offending code using the victim’s browser.

Black Box testing :

To detect an XSS vulnerability, the tester will typically use specially crafted input data with each input vector.

XSS tutorial


Ideally all HTML special characters will be replaced with HTML entities. The key HTML entities to identify are:

> (greater than) 
< (less than) 
& (ampersand)
' (apostrophe or single quote)
" (double quote)

For example, consider a site that has a welcome notice ” Welcome %username% ” and a download link.
Xss tutorial

Let’s try to change the following link and see what happens: 

If no filteration is applied this will result in the following popup:
XSS tutorial

This indicates that there is an XSS vulnerability and it appears that the tester can execute code of his choice in anybody’s browser if he clicks on the tester’s link. <![CDATA[
window.onload = function(){var AllLinks=document.getElementsByTagName("a");
AllLinks[0].href = ""; }
// ]]>// 

Output :

XSS tutorial

This will cause the user, clicking on the link supplied by the tester, to download the file malicious.exe from a site he controls.

Bypass XSS filters :

Reflected cross-site scripting attacks are prevented as the web application sanitizes input, a web application firewall blocks malicious input, or by mechanisms embedded in modern web browsers.

Since these filters are based on a blacklist, they could not block every type of expressions. In fact, there are cases in which an XSS exploit can be carried out without the use of// <![CDATA[
tags and even without the use of characters such as " and / that are commonly filtered. For example, the web application could use the user input value to fill an attribute, as shown in the following code:
// ]]>

<input type="text" name="state" value="INPUT_FROM_USER">

Then an attacker could submit the following code:

" onfocus="alert(document.cookie)

Another Example :

">// ">// "%3cscript%3ealert(document.cookie)%3c/script%3e

Bypassing non-recursive filtering :

Sometimes the sanitization is applied only once and it is not being performed recursively. In this case the attacker can beat the filter by sending a string containing multiple attempts, like this one:


including external script :

Now suppose that developers of the target site implemented the following code to protect the input from the inclusion of external script:

$re = "/]+src/i"; 
  if (preg_match($re, $_GET['var'])) 
   echo "Filtered"; return; 
echo "Welcome ".$_GET['var']." !"; 

In this scenario there is a regular expression checking if // <![CDATA[
' ] src 
// ]]>
is inserted. This is useful for filtering expressions like :

// <![CDATA[
// ]]>

which is a common attack. But, in this case, it is possible to bypass the sanitization by using the “>” character in an attribute between script and src, like this:


This will exploit the reflected cross site scripting vulnerability shown before, executing the javascript code stored on the attacker’s web server as if it was originating from the victim web site, http://example/.


One thought on “Reflected Cross site scripting full tutorial

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s