Prerequisites
To understand this whole article, you will need:
Definition
A reflected XSS is possible when url parameter is displayed on the page.
Explanation of the vulnerability
Take as an example a page with a search function.
Here is the part of the PHP code of this page:
<form action method="get">
<input type="text" name="search" id="search">
<input type="submit" value="Search">
</form>
<?php
if(isset($_GET['search'])) {
echo 'Résultats pour la recherche"' . $_GET['search'] . '"';
}
?>
The interesting part in this code is the echo
function, which displays the user research without filters. This therefore allows us to enter tags which will subsequently be interpreted.
For example if we try to inject <u>hello</u>
, the rendering on the page will be:
hello
The echo
function interpreted the <u>
tags.
You are probably wondering how dangerous it is for a user to send an underlined message, well that’s because if echo
interprets the <u>
tags, it will also interpret the <script>
tags.
Exploit
Now that we have the ability to interpret our beacons, we can move on to exploit. By entering <script>alert()</script>
, when the page loads the script will be executed, and the alert will be displayed. From the moment you can execute JavaScript you can for example retrieve cookies from other users.
I’ll let you see my XSS Cheat Sheet to see how to get these famous cookies. :)