Reflected XSS

In this lab, you learn what it means for a site to be susceptible to cross-site scripting specifically the XSS vulnerability. You will also learn the difference between local and remote reflected XSS.

outcomes

In this lab, you will learn to:

Demonstrate a locally reflected XSS attack.
Demonstrate a locally reflected XSS to display session IDs.
Demonstrate a remote reflected XSS attack.

Videos:

Before you start this lab, review these videos.

Locally Reflected XSS

Locally Reflected XSS to Display Session IDs

Remote Reflected XSS

Overview

The development of this document is funded by the Boston Area Advanced Technological Education Connections (BATEC) Grant No. NSF-0703097 thru Bunker Hill Community College.

Cross-site scripting (XSS) is a type of injection attack that involves exploitations through code. The manner in which these attacks are performed are nonpersistent (reflected), persistent (stored), and DOM-based nonpersistent XSS. Reflected XSS is the concentration of interest during this lab and is a client-side attack, whereby all insertions only occur in the client-side file and information is reflected back to the local user. Once the code is injected into the client-side page, all the code functionality is stored within the URL. Thus, just like in an HTMLi, attackers can use social engineering tactics to entice users to click on malicious links in order to retrieve sensitive information.

Cross-Site Scripting

Courses

Pentesting and Understanding Vulnerabilities - Skill Labs

Key terms and descriptions

Cross-Site Scripting

Cross-Site Scripting is the most common vulnerability which is identified in most live web-based applications. The web application is the collection of user inputs and search fields. So this is the carrier through which Cross-Site Scripting (XSS) attack happens.

Reflected XSS

Reflected XSS attack occurs when a malicious script is reflected in the website’s results or response.