Injection: XSS via Reflected Input¶

Identifier: improper_input_xss_reflection

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

Cross-Site Scripting vulnerabilities via reflected inputs occur when applications reflect user-supplied query parameters or URL fragment values in the page without adequate sanitization, allowing attackers to inject malicious scripts that execute in users' browsers.

How we test: We inject random canary values into a new query parameter and the URL fragment, then check whether these values are reflected in the page content. If reflection is confirmed, we attempt to inject an XSS payload and verify execution via dialog detection or onclick attribute analysis.

References:

https://portswigger.net/web-security/cross-site-scripting

Configuration¶

Example¶

Example configuration:

---
security_tests:
  improper_input_xss_reflection:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.