Prerequisites

To understand this whole article, you will need:

  • Knowing how to code in HTML
  • Know the basics of PHP and Javascript
  • Know what an XSS is (see my article on XSS if needed)
  • Definition

    A reflected XSS is possible when url parameter is displayed on the page.

    Explanation of the vulnerability

    Take as an example a page with a search function.
    Here is the part of the PHP code of this page:

    <form action method="get">
    <input type="text" name="search" id="search">
    <input type="submit" value="Search">
    </form>
    
    <?php
    if(isset($_GET['search'])) {
        echo 'Résultats pour la recherche"' . $_GET['search'] . '"';
    }
    ?>
    

    The interesting part in this code is the echo function, which displays the user research without filters. This therefore allows us to enter tags which will subsequently be interpreted.

    For example if we try to inject <u>hello</u>, the rendering on the page will be:
    hello
    The echo function interpreted the <u> tags. You are probably wondering how dangerous it is for a user to send an underlined message, well that’s because if echo interprets the <u> tags, it will also interpret the <script> tags.

    Exploit

    Now that we have the ability to interpret our beacons, we can move on to exploit. By entering <script>alert()</script>, when the page loads the script will be executed, and the alert will be displayed. From the moment you can execute JavaScript you can for example retrieve cookies from other users.
    I’ll let you see my XSS Cheat Sheet to see how to get these famous cookies. :)

    XSS Cheat Sheet