Cross-Site Scripting - Reflected

General Reflected XSS Report Requirements

---

• Payloads should show access to the DOM when possible using document.domain or similar.

• Screenshots should include successful XSS execution.

• HTTP requests where payloads are sent are required.

• A full PoC should be included in report.

• If authentication is required, please include credentials in your first step.

---

Template Contents

---

Title

Reflected XSS On [WEBSITE]

---

Description

Cross-Site Scripting (XSS) attacks involve the execution of untrusted user input in the context of an application. Input injected through areas such as request parameters is reflected in an unsafe manner by the application. The following report will demonstrate the issue(s) found on the tested web application.

---

Impact

XSS results in unauthorized code being executed/rendered by a user's browser. As a result, the following may occur:

• Cookies can be stolen, leading to account takeover

• Untrusted code can modify the DOM environment and retrieve/modify various values

• Malicious execution of input can lead to a variety of other impacts

---

Recommended Fix

Some general rules provided by OWASP:

• Never insert untrusted data except in allowed locations

• HTML encode before inserting untrusted data into HTML element content

• Attribute encode before inserting untrusted data into HTML common attributes

• JavaScript encode before inserting untrusted data into JavaScript data values

• URL encode before inserting untrusted data into HTML URL parameter values

For more detailed information on these tips, visit the OWASP XSS Prevention cheat sheet HERE.

---