Reflected XSS (Reflected Cross-Site Scripting) attack occurs when the injected malicious script is reflected off the webserver, like the error message, search result, or any other response. Reflected type attacks are delivered to victims or targets via another path such as email messages or phishing. When the user is tricked into clicking the malicious script or link, then this attack triggers the user’s browser. A simple example of Reflected XSS is the search field.
An attacker looks for places where user input is used directly to generate a response to launch a successful Reflected XSS attack. This often involves elements that are not expected to host scripts, such as image tags (
), or the addition of event attributes. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.