Quartz 4

Reflected attack

2 min read

In contrast to a stored attack, a Reflected Attack (also known as Non-Persistent XSS or Type I XSS) is the most common type ofCross-Site Scripting.

It occurs when a malicious script is “reflected” off a web application to a victim’s browser. The script is not saved on the server; instead, it is delivered to the victim through a link or a crafted request.

How it Works

  1. The Hook: The attacker crafts a URL containing a malicious script and sends it to the victim (usually via email, social media, or a shortened link).

  2. The Request: The victim clicks the link, which sends a request to a vulnerable website.

  3. The Reflection: The website takes the script from the URL (often from a search parameter or error message) and includes it in the HTTP response page without proper sanitization.

  4. The Execution: The victim’s browser receives the page, sees the script as coming from a “trusted” site, and executes it.

Example Scenario

Imagine a website has a search feature where the URL looks like this: https://example.com/search?q=security

The page then displays: “You searched for: security

An attacker can craft a link like this: https://example.com/search?q=<script>alert('XSS')</script>

If the website isn’t protected, the page will render the script, and the browser will trigger a pop-up alert. In a real attack, that script would be used to steal session tokens or redirect the user.

Comparison for your WGU Exams

Since you are prepping for your Bachelor’s in Cybersecurity, remembering these distinctions is key:

FeatureReflected AttackStored Attack
PersistenceNon-persistent (it’s gone once the page closes).Persistent (stays in the database).
Delivery MethodUsually a URL/Link or Phishing.Visiting a legitimate page (post/profile).
Primary GoalStealing individual session cookies.Mass exploitation of many users.
DetectionEasier to spot in server logs (the script is in the URL).Harder to detect (the script is in the database).

Export to Sheets

Mitigation

To prevent both Reflected and Stored attacks, developers should:

  • Input Validation: Ensure only expected data types are submitted.

  • Output Encoding: Convert special characters like < and > into HTML entities (&lt; and &gt;) so the browser treats them as text, not code. #attacks attack webbrowsers WebSecurity

Graph View

Backlinks