Web Security Finding Report Template

Reflected Cross-Site Scripting (XSS) — CWE-79

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

The q query parameter on the search endpoint reflects user-supplied input directly into the HTML response without output encoding. An attacker can craft a URL containing a script payload that executes in the victim's browser when the link is visited. No authentication is required to trigger the vulnerability.

1. Open Burp Suite Community Edition and launch Burp's browser.
2. Navigate to https://example-target.lab/search.
3. Enter any search term and submit the form.
4. In Burp's HTTP History, locate the GET request to /search.
5. Send the request to Repeater.
6. Replace the value of the q parameter with <script>alert(document.domain)</script>.
7. Forward the request and observe the injected script executes in the browser response.

GET /search?q=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
Host: example-target.lab
User-Agent: Mozilla/5.0
Accept: text/html

<div class="results">
  Results for: <script>alert(document.domain)</script>
</div>

An attacker who sends a crafted URL to an authenticated user can execute arbitrary JavaScript in that user's browser under the application's origin. This can be used to steal session cookies, capture keystrokes, redirect users to phishing pages, or perform actions on the victim's behalf. The severity is elevated in applications where users are authenticated or where sensitive data is displayed.

Apply context-aware output encoding to all user-supplied input before rendering it in HTML responses. In most frameworks, use the built-in HTML escaping function (e.g., htmlspecialchars() in PHP, HtmlEncode() in .NET). Do not rely on input validation alone — encode output at the point of rendering. Implement a Content Security Policy (CSP) as a defense-in-depth measure.