Reflected XSS Explained

Reflected Cross-Site Scripting (XSS) is a type of web vulnerability where untrusted input is immediately echoed
(or “reflected”) by the server in an HTTP response without proper validation or encoding. This allows an attacker
to inject malicious JavaScript code that runs in the user’s browser.

Example Scenario

Imagine a search feature on a website:
https://example.com/search?q=bitcoin

If the application reflects the input directly:
<p>You searched for: bitcoin</p>

And the attacker sends this:
https://example.com/search?q=<script>alert('XSS!')</script>

The response becomes:
<p>You searched for: <script>alert('XSS!')</script></p>

This executes a script in the user’s browser.

Real-World Impact

• Steal user sessions
• Deface websites temporarily
• Redirect users to malicious pages
• Exploit browser features like the clipboard or camera

How to Mitigate Reflected XSS

• Input Validation and Output Encoding: Always validate input format and encode output properly for the context (HTML, JS, URL, etc.).
• Use a Security Library or Framework: Use auto-escaping frameworks like React, Angular, Vue, or Django templates.
• Set HTTP Security Headers: Use headers like Content-Security-Policy and X-Content-Type-Options: nosniff.
• Sanitize User Input: Use libraries like DOMPurify to clean HTML before injecting it into the DOM.
• Audit and Test Regularly: Use security tools like OWASP ZAP or Burp Suite to find XSS vulnerabilities.

XSS Cheat Sheet

XSS Type	Description	Delivered Via
Reflected XSS	Input is immediately reflected back in the response.	URL or query string
Stored XSS	Malicious script is stored on the server and served to users.	Form submissions, comments
DOM-based XSS	Client-side JavaScript handles untrusted data insecurely.	Fragment/DOM manipulation