OWASP Foundation
owasp.org › www-community › attacks › xss
Cross Site Scripting (XSS) | OWASP Foundation
For example in feedback forms, ... attacker’s payload will get executed. Blind Cross-site Scripting is hard to confirm in the real-world scenario but one of the best tools for this is XSS Hunter. In addition to Stored and Reflected XSS, another type of XSS, DOM Based XSS was ...
PortSwigger
portswigger.net › web-security › cross-site-scripting › reflected
What is reflected XSS (cross-site scripting)? Tutorial & Examples | Web Security Academy
If the candidate XSS payload was modified by the application, or blocked altogether, then you will need to test alternative payloads and techniques that might deliver a working XSS attack based on the context of the reflection and the type of input validation that is being performed. For more details, see cross-site scripting contexts
How exactly does Cross Site Scripting (XSS) work?
There are 3 basic types of XSS: reflected, stored and DOM based. Stored XSS is an attack on a site that allows user to submit and store HTML in some way (eg in a comment or user profile). If the input is not properly filtered, an attacker can embed malicious JavaScript in the HTML. Then anyone who visits the site and happens to bring up that user's comment will get the payload. Reflected XSS is when a site takes user input and embeds it in the page, but without storing it on the server. An example would be a multistep form that uses your answer to the first question to determine the next question, eg "what's your favourite food?" If the user answers "pizza", the form then asks "what's your favourite pizza?" But the user answers with , the form will ask "what's your favourite " if it doesn't correctly filter/validate the user input. It's "reflected" because the user's input is reflected back to them in the HTTP response from the server. But since this isn't stored on the server, the attacker would need to trick the user into opening a crafted URL with the malicious answer embedded in it. DOM XSS is similar, but the difference is that the HTTP response from the server doesn't change, it's only what happens on the client side that differs. This is where the site takes user input and uses it directly in JavaScript on the page. The user input never hits the server, so the server-side code can't filter/validate the input, instead the JavaScript itself must do it. Again, you would need to trick a user into opening a specially crafted URL to execute this attack. Aside from safely encoding/filtering/validating user input in code, the other way to prevent these attacks is by implementing a strict Content Security Policy on the web server that only allows scripts with the right nonce or hash to be executed. More on reddit.com
13
86
August 21, 2024Fixing Reflected XSS issue in Javascript. CheckMarx - Stack Overflow
I was trying to validate my code using CheckMarx but am stuck at a couple of vulnerabilities that I am unable to find a fix for. The following are the code lines where the vulnerabilities were rais... More on stackoverflow.com
ELI5: explaining cross-site scripting attack?
Here's the code for displaying a text popup on a website: That code is just text, so if Reddit simply copied the text I just posted into the web page, anyone who visited this comment section would see a popup that says "Hello". Instead, Reddit modifies the text I wrote so it looks the same but is no longer valid code. If a website forgets to modify text like this, it opens up the possibility for a malicious person to insert code into comments. A malicious person wouldn't display a popup though, they'd write a program that grabs login data and sends it to a server they control. That's a cross-site scripting attack, or XSS More on reddit.com
20
31
September 27, 2022ELI5: Cross-Site Scripting vulnerability
On very many sites, users have some control over what the web site displays. Consider this right here. I typed all this text into a box and clicked "comment." That text was sent to reddit's servers and then added to the code for this very web page and is now appearing on your screen, as interpreted by your browser. Basically, reddit has taken the data I've given it and that data has now become part of the code of reddit's web pages. But the "code" for a web page can include information for your browser to display visually but can also contain instructions for things for your browser to. Like run programs. So what if the text I give to reddit for it to make part of its web page's code includes instructions. An instruction like: "download this program and run it"? Well, if the web page is poorly built, it will just blindly accept that code, add it to its web page and your browser will blindly run it. This is a Cross-Site Scripting attack. The "script" is the instructions I've provided. The "Cross-Site" is the fact that my instructions are directing your browser to download or run something from a third site, using the site you're visiting as an intermediary. The vulnerability is when a site allows for this type of attack to occur. More on reddit.com
10
2
November 17, 2022How to Test for Cross-Site Scripting Vulnerabilities?
XSS testing uses vulnerability scanners and penetration testing tools to simulate attacks and find potential entry points for malicious scripts.
sentinelone.com
sentinelone.com › cybersecurity-101 › threat-intelligence › how-to-prevent-cross-site-scripting-xss-attacks
How to Prevent Cross-Site Scripting (XSS) Attacks?
What are the Tools and Solutions to Detect and Prevent XSS Attacks?
Solutions and tools include vulnerability scanners, web application firewalls, and advanced threat detection systems. These help detect vulnerabilities and block malicious scripts from running.
sentinelone.com
sentinelone.com › cybersecurity-101 › threat-intelligence › how-to-prevent-cross-site-scripting-xss-attacks
How to Prevent Cross-Site Scripting (XSS) Attacks?
What are XSS Attacks?
XSS attacks involve injecting malicious scripts into websites to allow hackers to access sensitive user data. XSS attacks exploit web application vulnerabilities and often use user input or manipulated URLs.
sentinelone.com
sentinelone.com › cybersecurity-101 › threat-intelligence › how-to-prevent-cross-site-scripting-xss-attacks
How to Prevent Cross-Site Scripting (XSS) Attacks?
Videos
19:11
Reflected Cross Site Scripting (XSS) Attack: An In-Depth Look for ...
06:30
Reflected Cross-Site Scripting (Reflected XSS) Explained - YouTube
18:49
Finding and exploiting reflected XSS in DVWA - YouTube
07:08
How to Fix + Prevent XSS attacks (Cross Site Scripting) - YouTube
02:28
Testing for reflected XSS manually with Burp Suite - YouTube
04:55
What is Reflected XSS? (Cross Site Scripting) - YouTube
Invicti
invicti.com › blog › web-security › reflected-xss-attack
What is Reflected XSS and How to Prevent It
August 20, 2020 - The vast majority of cross-site scripting attempts, including non-persistent XSS, can be detected by a modern vulnerability testing solution. Invicti finds many types of XSS, from basic reflected XSS to more sophisticated attacks like DOM-based and blind XSS, and provides detailed recommendations about suitable remedies.
Veracode
docs.veracode.com › manage risk › review findings › resolve findings › about cross-site scripting (xss) attacks › prevent reflected xss attacks
Prevent reflected XSS attacks | Veracode Docs
March 24, 2026 - This section explains reflected Cross-site Scripting (XSS), typical examples of such attacks, and best practices to prevent the underlying vulnerabilities.
Acunetix
acunetix.com › home › web security blog › cross-site scripting
Cross-site Scripting | Acunetix
August 8, 2023 - This is a simple example, but it illustrates how a more dangerous script could be used to attack the search engine. The first line of defense against Cross-site Scripting attacks is verification and filtering of Web application input strings (in both ASCII and Hex form).
SentinelOne
sentinelone.com › cybersecurity-101 › threat-intelligence › how-to-prevent-cross-site-scripting-xss-attacks
How to Prevent Cross-Site Scripting (XSS) Attacks?
January 8, 2026 - They cannot mass deliver payloads; most reflected XSS attacks are carried out on social media networks. Dom-based XSS involves hacking into user accounts by taking malicious Javascript code from an attacker’s controllable source. It passes this code into a sink that executes it dynamically and runs the block arbitrarily. The browser URL is the most common source for these cross-site scripting ...
Imperva
imperva.com › home › appsec › reflected cross site scripting (xss) attacks
Reflected XSS | How to Prevent a Non-Persistent Attack | Imperva
December 20, 2023 - With signature based security rules, supported by other heuristics, a WAF can compensate for the lack of input sanitization, and simply block abnormal requests. This includes, but is not limited to, requests that attempt to execute a reflected cross site scripting attack.
PortSwigger
portswigger.net › web-security › cross-site-scripting
What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy
Stored XSS, where the malicious script comes from the website's database. DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code. Reflected XSS is the simplest variety of cross-site scripting.
Mozilla
developer.mozilla.org › en-US › docs › Web › Security › Attacks › XSS
Cross-site scripting (XSS) - Security | MDN
December 15, 2025 - One big difference between the two examples is that the malicious code is injected in different parts of the website's codebase, and this is a reflection of each website's architecture. A website that uses client-side rendering, such as a single-page app, modifies pages in the browser, using web APIs such as document.createElement() to do so, either directly, or indirectly through a framework like React. It's in the course of this process that XSS injection will happen. That's what we see in the first example: the malicious code is injected in the browser, by a script running in the page assigning the URL parameter value to the Element.innerHTML property, which interprets its value as HTML code.
Bright Security
brightsec.com › blog › xss
What is XSS? Impact, Types, and Prevention - Bright Security
August 10, 2025 - Reflected and stored cross-site scripting can be sanitized on the server-side and there are multiple ways of doing it. Blacklisting characters that are deemed unsafe won’t really work out in the long run since some malicious user might figure out some bypass for it as it usually happens.
Bright Security
brightsec.com › blog › reflected-xss
Reflected XSS: Examples, Testing, and Prevention - Bright Security
August 10, 2025 - You can sanitize reflected and stored cross-site scripting via the server-side, and there are several ways of carrying this out.
Microsoft Learn
learn.microsoft.com › en-us › aspnet › core › security › cross-site-scripting
Prevent Cross-Site Scripting (XSS) in ASP.NET Core | Microsoft Learn
1 month ago - @{ var untrustedInput = "<script>alert(1)</script>"; } <div id="injectedData" data-untrustedinput="@untrustedInput" /> <div id="scriptedWrite" /> <div id="scriptedWrite-html5" /> <script> var injectedData = document.getElementById("injectedData"); // All clients var clientSideUntrustedInputOldStyle = injectedData.getAttribute("data-untrustedinput"); // HTML 5 clients only var clientSideUntrustedInputHtml5 = injectedData.dataset.untrustedinput; // Put the injected, untrusted data into the scriptedWrite div tag.
Intigriti
intigriti.com › blog › hacking tools › hunting for reflected xss vulnerabilities: a complete guide
Reflected XSS: Advanced Exploitation Guide | Intigriti
October 26, 2025 - While in other cases, it might be the only possible solution, as characters used to open and close HTML tags are explicitly filtered. Example 2: Basic cross-site scripting (XSS) with an inline HTML payload · As applications become more complex, developers tend to introduce more security weaknesses, including XSS vulnerabilities. While this context occurs a lot less, sometimes developers reflect unsanitized user input right inside the JavaScript context.
GeeksforGeeks
geeksforgeeks.org › ethical hacking › reflected-xss-vulnerability-in-depth
Reflected XSS Vulnerability in Depth - GeeksforGeeks
July 23, 2025 - The client-side code runs in an “unexpected” manner. ... Reflected Cross-Site Scripting is the type in which the injected script is reflected off the webserver, like the error message, search result, or any other response.
Legit Security
legitsecurity.com › aspm-knowledge-base › what-is-reflected-xss
What Is Reflected XSS? Prevent Cross-Site Scripting Attacks
March 2, 2026 - Once executed, the script can redirect users to phishing sites, modify website content in real time, or exfiltrate sensitive information, including personal data or confidential business information. For organizations integrating AI-powered tools, reflected XSS vulnerabilities can introduce additional risks, particularly with GenAI-based application security and risks with embedded LLM in applications.
Reddit
reddit.com › r/cybersecurity › how exactly does cross site scripting (xss) work?
r/cybersecurity on Reddit: How exactly does Cross Site Scripting (XSS) work?
August 21, 2024 -
Hello,
So I know a general concept of XSS where a threat actor infects a website's code with it's own malicious part of code but what happens later. How does it work on victim's side? Does the malicious party create fake link first which is actually the same as the original link (with no typos) and sends it to the receiving party or is there any other way? I know about DOM-based XSS and how exactly do they differ between standard XSS?
I have also heard about reflected XSS which affects website owner's server which validates the fake link with malicious code in it. How different is that from the aforementioned attacks and how can one mitigate them?
I am sorry if this thread is too simple but I'd like to understand it as I am an idiot in this matter.
Top answer 1 of 5
146
There are 3 basic types of XSS: reflected, stored and DOM based. Stored XSS is an attack on a site that allows user to submit and store HTML in some way (eg in a comment or user profile). If the input is not properly filtered, an attacker can embed malicious JavaScript in the HTML. Then anyone who visits the site and happens to bring up that user's comment will get the payload. Reflected XSS is when a site takes user input and embeds it in the page, but without storing it on the server. An example would be a multistep form that uses your answer to the first question to determine the next question, eg "what's your favourite food?" If the user answers "pizza", the form then asks "what's your favourite pizza?" But the user answers with , the form will ask "what's your favourite " if it doesn't correctly filter/validate the user input. It's "reflected" because the user's input is reflected back to them in the HTTP response from the server. But since this isn't stored on the server, the attacker would need to trick the user into opening a crafted URL with the malicious answer embedded in it. DOM XSS is similar, but the difference is that the HTTP response from the server doesn't change, it's only what happens on the client side that differs. This is where the site takes user input and uses it directly in JavaScript on the page. The user input never hits the server, so the server-side code can't filter/validate the input, instead the JavaScript itself must do it. Again, you would need to trick a user into opening a specially crafted URL to execute this attack. Aside from safely encoding/filtering/validating user input in code, the other way to prevent these attacks is by implementing a strict Content Security Policy on the web server that only allows scripts with the right nonce or hash to be executed.
2 of 5
24
Persistent XSS: Content is saved to the website. Attacker sits back and waits for victim to browse to affected page. Shenanigans ensue. Reflected XSS: Content provided by user is reflected back to user. Attacker sends malicious link to user. They click on it which sends them to affected page with payload unlocked. Shenanigans ensue. DOM XSS: Somewhere in between the choices above. The server content is not persistently changed; nor is the malicious content directly reflected; but some element of input (probably a URL portion) is embedded in the page insecurely. Attacker gets user to click on malicious link to page which embeds the payload. Shenanigans ensue.
Top answer 1 of 2
1
Make sure to sanitize any input you get from users, that includes taking any parameters from the request. You can find many sanitization modules or middle ware that will do this for you, just try a quick google search.
As for open redirect, if the url parameter is coming from a user, use Regex or something of the liking to parse the domain. It could even just be something as simple as making sure it starts with the right protocol and domain.
2 of 2
0
I believe Checkmarx sees the url variable first in the flow as arbitrary which is why it is seeing it as a Client DOM Open Redirect vulnerability. You can try prefixing the url with a hardcoded value if you don't need it to be arbitrary.
if(isNaN($rootScope.selectedContext.defaultAppPageId) || isNaN($rootScope.defaultHierarchyId)) {
return
}
var redirectUrl = "https://stackoverflow.com?" + "appPageId=" +
$rootScope.selectedContext.defaultAppPageId + "&hierarchyId="+
$rootScope.defaultHierarchyId
window.location.href = encodeURI(redirectUrl)
For the XSS vuln, it well could be considered as a false positive since Angular sanitizes and escapes untrusted values. However, you can't always trust the view engine to do its job so if you really wanted an explicit fix, you may want to use a html encode library (find a decent one, this is just an example):
var htmlencode = require('htmlencode');
res.send("The Context"+ htmlencode.htmlEncode(req.params.contextName) + " has restricted access. Please request access to this page");
Hope this helps!
Inspectiv
inspectiv.com › articles › differences-of-stored-xss-and-reflected-xss
Differences of Stored XSS and Reflected XSS
October 10, 2025 - A reflected XSS attack occurs when a malicious injection affects a user directly. Yet the malicious script is not on the webserver the user attempted to reach. ... The site above accepts the user’s input data and renders it immediately.
Medium
medium.com › @nurlanisazade › real-world-examples-of-xss-with-source-code-and-exploits-83cd264ea260
Real-World Examples of XSS with Source Code and Exploits | by Nurlan Isazade | Medium
June 20, 2024 - An e-commerce website has a search feature that reflects user input in the results page. ... <!-- search_form.html --> <form action="search.php" method="GET"> <input type="text" name="q" placeholder="Search..."> <button type="submit">Search</button> </form> ... // search.php <?php $search_query = $_GET['q']; echo "<h1>Search results for: " . $search_query . "</h1>"; // Search logic... ?> ... When a user clicks the link, the script executes, displaying an alert box.
Medium
medium.com › @sumayasomow › cross-site-scripting-xss-vulnerabilities-f7c8e63b2f10
Cross-Site Scripting (XSS) Vulnerabilities | by Sumayasomow | Medium
January 11, 2025 - Part 1: Perform Reflective Cross Site Scripting Exploits