Reflected XSS

Reflected XSS occurs when an application takes input from the current HTTP request and includes it in the response without encoding. The payload is not stored. Each time the attack executes, a request carrying the payload must be made to the server, and the server must return it in the response.

Where Input Appears in Responses

Common locations where request input is reflected into HTML responses:

• Search results pages that echo the query: Results for: [query]
• Error messages that include the invalid input value
• Form fields repopulated with submitted values after validation failure
• URL parameters used to control page state, rendered into the document

A search endpoint that builds the response:

<p>Results for: <?= $_GET['q'] ?></p>

A request with q=<script>alert(document.cookie)</script> causes the server to return that string verbatim inside a paragraph element. The browser parses the <script> tag and executes the content.

Injection Contexts

The characters needed to break out of the current context depend on where the input lands in the document:

HTML body context: input rendered as element content. Breaking out requires < to open a new tag. The injected content can be a <script> element or an element with event attributes such as <img src=x onerror=...>.

HTML attribute context: input placed inside an attribute value. If the value is unquoted, a space terminates it. If it is quoted, the matching quote character terminates it. Injecting an event handler attribute (onmouseover, onfocus) can execute script without opening a new tag.

JavaScript string context: input placed inside a string literal in a <script> block. The quote character matching the string delimiter closes the string. After closing the string, arbitrary JavaScript follows.

URL context: input placed into an href or src attribute. A javascript: scheme executes script when the link is followed or the resource is loaded.

Each context requires a different payload structure. A payload that works in the HTML body may not work inside a quoted attribute, and vice versa.

Delivery

Reflected XSS requires the victim to send the crafted request. The typical delivery method is a URL sent via email, messaging, or embedded in another page as a link. When the victim clicks the link, their browser sends the request with the payload, the server reflects it, and the browser executes the returned script in the context of the target origin.

URL shorteners obscure the payload. Encoded characters (%3C for <) may bypass superficial filters while remaining valid when the browser decodes the URL before sending the request.

Scope

Reflected XSS affects one victim per request. The attacker must individually deliver the crafted URL to each target. This limits scale but does not limit severity: a single successful execution against an authenticated session has the same consequences as stored XSS against that session.