This flaw is exploited often when the page displays to the user something that can be manipulated dynamically through a URL or in the body of the page. Nothing is better than a visual example so let's see a reflected XSS case using Mutillidae:
- In your Kali Linux, open your browser and go to the Homepage, then on the left Menu, choose OWASP 2017 | Cross Site Scripting | Reflected | DNS Lookup. The first thing that you need to test is the happy path, so let's enter a real IP address (for this example, I will use the IP 10.0.0.1 which is my home router) and click on the Lookup DNS button:
- As you can see, the page has displayed the IP address that we just entered. This means that if I replace the IP address with a JavaScript code, it will execute it. In the textbox, replace the IP address with a test script, <script>alert(1)</script>:
- Click on the Lookup DNS button and see if this script will execute:
In this example, I used the alert(1) JavaScript, and that's probably all you need during the penetration tests. On the other hand, a hacker will use a more sophisticated JavaScript logic to collect personal information from its victim.
For more advanced XSS attacks check out Beef XSS Framework on your Kali Linux host. After using this tool you will be amazed by the attack choices that an XSS vulnerability can bring to the table.