SMVDB

Your handy all in one vulnerability cheat sheet

Reflected Cross Site Scripting (RXSS)

20002
'Reflection' is when a web application returns the data entered by a user via request into the web application response. 'Reflected Cross-Site Scripting' or 'RXSS' is a type of 'Browser Side Attacks or Client Side Attacks' attack where an attacker abuse the reflection and inexistence of input sanitization to inject JavaScript code into victim's responses to take control of their browsers, execute malicious code to steal session cookies, or even redirect them to other pages. Any reflected parameter of an application is suspected to be vulnerable but the most severe parameters are 'GET' parameters where an attacker can simply use the nature of 'GET' parameters where is being sent inside the URL to reflect malicious code into the victim responses. If the reflection happens via 'POST' parameter or what is sometimes referred to as 'Self Cross-Site Scripting' or 'SXSS' an attacker may not be able to exploit the reflection scenario unless there's no 'CSRF' protection. Sometimes an attacker may not be able to injection JavaScript Code, hence an attacker may try to inject another type of code such as HTML which is known as 'HTML Injection' to trick users into performing actions, or CSS code which is known as 'CSS Injection'