Reflected XSS attack


Reflected XSS is a type of XSS attack where a vulnerable web server reflects the script in malicious actor's request back to the client browser where the malicious code is executed.

In this article we use Burp Suite to attack with reflected XSS.
Burp Suite Community Edition is free, limited, but still quite useful.

Run Burp Suite and then click Proxy=> Intercept, then Open browser to open the Burp Suite browser. Go to

Go back to the Burp Suite window, select the "HTTP history" tab

Narrow the scope

The request list above is very long and difficult to track, we filter out only the requests of the host
Click Target => Site map. In the list on the left, right-click the item, select "Add to scope" to add it to the scope

Go back to Proxy, click on Filter bar, the dialog "Filter settings" will pop up, check "Show only in-scope items", then click Apply

Now the list of items is neat

Next, we switch to the Burp Suite browser. On the webpage, type CANARY in the search text box to find this item

No result. We return to the Burp Suite window, select the item with the URL /search/?q=CANARY, right-click it and select "Send to Repeater"

Click Repeater on the toolbar

In the Request view on the left, modify the search parameter on the first line, adding a script as shown below:

We have delivered the payload and are ready to attack. If the web server has no defense against this type of attack, the malicious script will reflect in the response and execute on the victim's browser. The web server therefore needs to at least sanitize the input to disable the script. Specifically, the characters < and > need to be encoded as &lt; and &gt; Correspondingly.
Click the Send button to attack

In this case the firewall blocked the attack right in phase 2 (before the response be processed), where the above attack is just one of many types of web application attacks that are blocked by the firewall.

Currently unrated


There are currently no comments

New Comment


required (not published)



What is 10 - 1?