Reflected XSS
Last updated
Last updated
The application or API includes unvalidated and unescaped user input as part of HTML output.
That is, the HTML displays a string sent by the user.
The attacker will send a malicious link to the victim, pointing to an attacker-controlled page.
Through email, posted on a chat, etc..
A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim’s browser.