Reflected XSS - The Most Common Attack Vector

Reflected XSS, also known as non-persistent XSS, occurs when malicious scripts are immediately returned by a web application in response to a user's request. The attack payload is typically delivered through URL parameters, form inputs, or HTTP headers, and is "reflected" back to the user without being stored on the server. Imagine a search function that displays "You searched for: [user input]" without proper sanitization. An attacker could craft a malicious URL containing JavaScript code in the search parameter, and when a victim clicks this link, the script executes in their browser.

The mechanics of reflected XSS are deceptively simple yet devastatingly effective. Consider a vulnerable search page at example.com/search?q=laptops that displays results with the message "Search results for: laptops". An attacker could create a malicious link like example.com/search?q=<script>steal_cookies()</script>. When a user clicks this link, perhaps from a phishing email or malicious website, the server reflects the script back in the response, and the victim's browser executes it. The script runs with full access to the victim's session on example.com, potentially stealing cookies, session tokens, or performing actions on their behalf.

Reflected XSS attacks often rely on social engineering to trick users into clicking malicious links. Attackers might send phishing emails claiming to be from the legitimate website, post links on social media, or use URL shorteners to hide the malicious payload. The transient nature of reflected XSS – where the payload isn't stored on the server – can make these attacks harder to detect through traditional security monitoring. However, this same characteristic also means that each victim must be individually targeted, limiting the scale compared to stored XSS attacks.