/vulndb/Reflected Cross-site Scripting

XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users. Reflected Cross-site Scripting is a type of XSS where the injected code is reflected off the web server. This kind of XSS is short-lived and requires a phishing vector to be delivered to the victim.

An attacker may be able to steal personal data, hijack sessions and perform phishing attacks by forcing a user’s browser to execute a malicious JavaScript payload.

Solution

Sanitise all user-supplied input before using it as part of dynamically generated pages and data. Be cautious of meta character that can be used to build tags and attributes.

Caveats

An XSS payload might not work on every browser and many modern browsers come with basic XSS protection mechanisms.

References

http://en.wikipedia.org/wiki/Cross-site_scripting