Day 1 : https://github.com/Yavuzlar/VulnLab/tree/main
Reflected Cross-Site Scripting (XSS) happens when user input is sent to the server and the server reflects that input back into the HTML response.
.The browser executes it as JavaScript
In this lab: the application directly reflected input from the q parameter into the page without sanitization or encoding.
That's the mistake.
π§ Root Cause (Why It Happens)
The backend logic conceptually looked like this:
echo $_GET['q'];
No:
.Input validation
.Output encoding
.HTML escaping
So whatever the user sends β gets rendered β browser executes it.
The browser doesn't know it's malicious. It just sees valid HTML/JS.
π§ͺLab Environment
Vulnerability: Basic Reflected XSS Severity (from report): High (CVSS 7.4)
The vulnerability occurs because:
User-controlled input from the q parameter is reflected directly into the HTML response.
π£ Proof of Concept (PoC) π― Payload Used <script>alert('XSS')</script>
π How to Reproduce
Navigate to the vulnerable page.
Locate the URL parameter q.
Inject the payload:
http://target-site/lab/xss/basic-reflected/?q=<script>alert('XSS')</script>
Press Enter.
π₯ Result
A JavaScript alert box appears.
This confirms:
Input was reflected
Script executed in browser context
No sanitization present
That popup = JavaScript execution = vulnerability confirmed.
β οΈ Why Is This Dangerous?
Even though we used alert() for testing, a real attacker could:
πͺ Steal session cookies
π Hijack accounts
π Impersonate users
π§Ύ Modify page content
π Redirect users to phishing sites
That's why this vulnerability was rated High Severity in the assessment
π CVSS Breakdown (From Report)
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Score: 7.4 β High
Meaning:
Network exploitable
No authentication required
Low complexity
User just needs to click a crafted link
π‘οΈ How To Fix It (Remediation)
β 1. Output Encoding (Most Important)
Always encode before rendering in HTML:
echo htmlspecialchars($_GET['q'], ENT_QUOTES, 'UTF-8');
β 2. Validate Input
Allow only expected characters.
β 3. Use Content Security Policy (CSP)
Example:
Content-Security-Policy: script-src 'self'
β 4. Use Security Libraries
Like:
OWASP ESAPI
DOMPurify (for frontend)
𧩠Beginner Explanation (Super Simple)
Think of it like this:
The website asked:
"What do you want to search?"
You replied:
"Run this JavaScript code."
And the website said:
"Sure πR&quo;
That's Reflected XSS.
The server trusted user input.
Never trust user input.
π― Key Takeaway β Day 1
Reflected XSS is:
Easy to find
Easy to exploit
Extremely dangerous
100% preventable Security is not about fancy hacking. It's about developers respecting user input.
