# Reflected Cross-Site Scripting XSS
## Metadata
- **Target Name:** [target-name]
- **Title:** Reflected Cross-Site Scripting (RXSS) in [rxss-param] Parameter on [rxss-hostname][rxss-path].
- **Category:** Injection
- **CWE:** 79 – Improper Neutralization of Input During Web Page Generation (CWE-79)
- **CVSS:** 6.1
- **Vulnerable Location**: [rxss-hostname][rxss-path]
- **Vulnerable Parameter:** [rxss-param]
- **Payload:** [rxss-payload]
- **HTTP Request:**
```plaintext
[rxss-http-Request]
``` #
## Introduction/Description
A reflected cross-site scripting vulnerability was found on the [rxss-hostname] domain at the [rxss-path] endpoint in the [rxss-param] parameter.
Reflected Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
## Proof of Concept
Visit the below URL to see the domain [rxss-hostname] in a pop-up alert box. The domain name verifies the DOM is reachable through this cross-site scripting attack, allowing the attacker to access cookies.
- **Link to full URL with Payload:** [poc-payload](poc-payload)
- **URL with payload in plain text:** `poc-payload`
## Impact
An attacker can use a reflected cross-site scripting attack to steal [rxss-hostname] cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user's session. This vulnerability may also allow attackers to deface [rxss-hostname] or embed malicious content.
## Remediation
Mitigate XSS attacks by using the following best practices.
__Validate and sanitize user input__
Make sure to validate and sanitize all user input to ensure that it does not contain any malicious code. This can be done using server-side input validation and sanitization functions.
__Use content security policies (CSPs).__
CSPs allow you to specify which domains are allowed to load resources on your website. This can help to prevent attackers from injecting malicious code from third-party domains.
__Use an XSS prevention library.__
There are several libraries available that can help to prevent XSS attacks by automatically escaping user input and implementing other security measures.
__Keep your software and libraries up to date.__
Make sure to keep all software and libraries used on your website up to date to ensure that you have the latest security fixes and patches.
**Find out more from [OWASP's Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)**
## Severity Scores
__CWE-79:__ Improper Neutralization of Input During Web Page Generation.
__CVSS v3.1 Base Score:__ 6.1
### Details
| Metric | Value | Comments |
|:--------------------|:---------|:-------------------------------------------------------------|
| Attack Vector | Network | The attack can only be exploited over a network. The target [rxss-hostname] can be accessed over the internet. |
| Attack Complexity | Low | The attacker can expect repeatable success. |
| Privileges Required | None | The attacker requires no privileges to perform the attack. |
| User Interaction | Required | A victim needs to click the malicious link created by the attacker. |
| Scope | Changed | The **vulnerable component** is the vulnerable [rxss-hostname] server. The **impacted component** is the victim's browser. |
| Confidentiality | Low | Information in the victim's browser associated with [rxss-hostname] can be read by the malicious JavaScript code and sent to the attacker. |
| Integrity | Low | Information in the victim's browser associated with [rxss-hostname] can be modified by the malicious JavaScript code. |
| Availability | None | The malicious JavaScript code cannot significantly impact the victim's browser.