We have looked what XSS is, its types and a basic example with a simple payload for XSS. In the previous blog, XSS example was for Reflected XSS let's take a look at other Reflected XSS examples and other methods to get a better understanding about reflected XSS Attack Before that lets look at basic very HTML so you get an idea how this payload work because of the same script which we used in the last article won't work to create own payload you need basic HTML and javascript although there are cheatsheet available for XSS payload.

Basic HTML

As you know webpages use HTML code and render it to show you its function like if there is an HTML coding for the form which takes username and password then browser take the coding and show you the output which is created from that code and doesn't show you the code. 

Every Html code has this two sign < >  and tags which is just a function or command which tell the browser that what it is supposed to do like it's a tag which tells the browser that it's an image tag there could be an image. some common tag you should know 
<input>
<h1>
<h6>
<pre> 
etc.
one thing to remember every tag start like this <h1> and end with </h1> with this / sign tag is closed and other function or code after that is different. there are some tag that doesn't have end tag to end them they use the same start-tag to end it like input tag
  <input> <input> 

there is some attribute in Html which comes under the tag, one tag could have soo many attributes. Like this <input type='text' value='xyz' <input>

type and value are the attributes for input tag and text and Xyz is the value for those attributes.
If it starts with a single quote mark (') it must end with (') same if it starts double quote (") the same ending should be (").


This is very basic for HTML you can learn it from other programming options apart from Html you should show javascript but I can't give you its basic because javascript is more advance so it's basic also need other things if you really interested in learning XSS in more advance and want to create your own payload then learn javascript and Html.

Reflected XSS

So let's look at another vulnerable website for this I am using DVWA in my local machine which is vulnerable web app for practice. If you have DVWA installed open it in your browser and select the Reflected XSS ( low Security)

DVWA Low Security Reflected XSS

Once you open the Dvwa reflected xss you will see and input option enters anything like a hacker. you can see when you submit your input it reflect back to your page.


 Why reflecting is very important for this kind of XSS if it's reflecting that means there should be an Html code for this reflected input, for example, we entered hacker and submit it to the server and server reply it back and show you search query in hacker in your browser and browser show which it gets from server as an HTML coding then our search query hacker should in the HTML code.

Now right click on the browser and click view page source and press ctrl+f and search your query which is hacker, you will see that server gave a response to the browser as an HTML and server has included our search hacker as an HTML  tag inside a pre tag

here reflected XSS comes as you know your every search query will be reflected and will be there in Html code instead of normal search if we directly give a javascript code in the search box it will also be present in the HTML code and javascript will execute.(javascript code work under HTML).


Now our input hacker in inside a tag and javascript can't be executed inside a tag because if we enter a javascript code in the search box then our javascript code will be inside this pre tag and won't execute unless the web application is fully vulnerable and execute javascript code even after being inside the HTML tag.

Let's take a look, again go to the same refelted XSS in your dvwa and give a basic javascript inside the input tag like this <script>alert(1)</script>


Click on submit and you will see that our javascript is executed and show you a pop up for 1, now click on the view page source and search for an alert you will see that our javascript is inside an Html tag called pre and still get executed because of server-side, 2 things are happening with this
1. web application is vulnerable to XSS.
2. web application or server-side code (PHP for DVWA) is doesn't have any protection and allow us to execute javascript inside an HTML tag.
But in real life, your javascript won't execute if it's inside the Html tag to execute it you need figure it out how you can execute your javascript and it doesn't come under HTML tag, that's one of the things bug bounty hunter do for XSS. we will look at how we can do this in the next article, hope it's clear what is XSS and reflected XSS is.

You can join our telegram channel for free ebooks and other updates. You can follow us on Twitter and Instagram.
Share it If you like it