Cross-Site Scripting - Reflected

General Reflected XSS Report Requirements

Payloads should show access to the DOM when possible using document.domain or similar.
Screenshots should include successful XSS execution.
HTTP requests where payloads are sent are required.
A full PoC should be included in report.
If authentication is required, please include credentials in your first step.

Template Contents

Title

Reflected XSS On [WEBSITE]

Description

Cross-Site Scripting (XSS) attacks involve the execution of untrusted user input in the context of an application. Input injected through areas such as request parameters is reflected in an unsafe manner by the application. The following report will demonstrate the issue(s) found on the tested web application.

Impact

XSS results in unauthorized code being executed/rendered by a user's browser. As a result, the following may occur:

Cookies can be stolen, leading to account takeover
Untrusted code can modify the DOM environment and retrieve/modify various values
Malicious execution of input can lead to a variety of other impacts

Recommended Fix

Some general rules provided by OWASP:

Never insert untrusted data except in allowed locations
HTML encode before inserting untrusted data into HTML element content
Attribute encode before inserting untrusted data into HTML common attributes
JavaScript encode before inserting untrusted data into JavaScript data values
URL encode before inserting untrusted data into HTML URL parameter values

For more detailed information on these tips, visit the OWASP XSS Prevention cheat sheet HERE.

PreviousCross-Site Scripting - DOM-XSS NextCross-Site Scripting - Persistent

Last updated 1 year ago

hashtagGeneral Reflected XSS Report Requirements

hashtagTemplate Contents

hashtagTitle

hashtagDescription

hashtagImpact

hashtagXSS results in unauthorized code being executed/rendered by a user's browser. As a result, the following may occur:

hashtagRecommended Fix

hashtagSome general rules provided by OWASP: