1. Introduction
Input Reflected is a vulnerability where user-supplied data is immediately returned in the response without proper sanitisation. This can allow attackers to inject malicious scripts into web pages viewed by other users, leading to cross-site scripting (XSS) attacks. It typically affects any web application that takes user input and displays it back to the user. A successful attack could compromise confidentiality, integrity, and availability of data depending on the context of the injected script.
2. Technical Explanation
The root cause is a lack of proper input validation or output encoding. An attacker can inject malicious scripts into parameters that are reflected in the response without being properly sanitised. This allows them to execute arbitrary JavaScript code within the victim’s browser.
- Root cause: missing input validation and/or improper output encoding.
- Exploit mechanism: An attacker crafts a malicious URL containing JavaScript code, which is then reflected in the response and executed by the user’s browser. For example, an attacker could send a link like
https://example.com/search?q= - Scope: Web applications that accept user input without proper validation or encoding are affected.
3. Detection and Assessment
To confirm vulnerability, check if user-supplied data is reflected in the response. Start with a quick manual test, then use automated scanners for thorough assessment.
- Quick checks: Enter a simple XSS payload (e.g.,
) into input fields and check if it’s reflected in the response source code. - Scanning: Use web vulnerability scanners like OWASP ZAP or Burp Suite to identify reflected inputs. These tools often have pre-built XSS detection rules.
- Logs and evidence: Examine server logs for unusual characters or patterns in user input, such as script tags or encoded characters.
curl 'https://example.com/search?q=' | grep '