{"id":20493869,"url":"https://github.com/qeeqbox/reflected-cross-site-scripting","last_synced_at":"2026-03-06T18:35:49.643Z","repository":{"id":104219166,"uuid":"486443706","full_name":"qeeqbox/reflected-cross-site-scripting","owner":"qeeqbox","description":" A threat actor may inject malicious content into webapp. The payload is reflected in the HTTP request and response, then executed in the victim's browser","archived":false,"fork":false,"pushed_at":"2025-07-28T00:44:02.000Z","size":2105,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-28T02:31:22.973Z","etag":null,"topics":["cross","infosecsimplified","metadata","qeeqbox","reflected","scripting","site","visualization","vulnerability","xss"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/qeeqbox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["qeeqbox"]}},"created_at":"2022-04-28T04:20:40.000Z","updated_at":"2025-07-28T00:44:05.000Z","dependencies_parsed_at":"2024-01-29T02:37:24.116Z","dependency_job_id":"d8e52c73-0a88-4a60-ab4a-8e3c9485665f","html_url":"https://github.com/qeeqbox/reflected-cross-site-scripting","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/qeeqbox/reflected-cross-site-scripting","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qeeqbox%2Freflected-cross-site-scripting","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qeeqbox%2Freflected-cross-site-scripting/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qeeqbox%2Freflected-cross-site-scripting/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qeeqbox%2Freflected-cross-site-scripting/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/qeeqbox","download_url":"https://codeload.github.com/qeeqbox/reflected-cross-site-scripting/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qeeqbox%2Freflected-cross-site-scripting/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30191231,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-06T18:30:16.692Z","status":"ssl_error","status_checked_at":"2026-03-06T18:30:13.818Z","response_time":250,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cross","infosecsimplified","metadata","qeeqbox","reflected","scripting","site","visualization","vulnerability","xss"],"created_at":"2024-11-15T17:37:11.762Z","updated_at":"2026-03-06T18:35:49.628Z","avatar_url":"https://github.com/qeeqbox.png","language":null,"funding_links":["https://github.com/sponsors/qeeqbox"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/qeeqbox/reflected-cross-site-scripting/main/content/reflected-cross-site-scripting.svg\"\u003e\u003c/p\u003e\n\nAn application enables users to control the Document Object Model (DOM) environment. A threat actor can exploit this feature by injecting a malicious payload into a trusted web application. When users interact with this malicious payload, their browsers execute it. This vulnerability is reflected in the HTTP request or response and occurs on the client side.\n\nClone this current repo recursively\n```sh\ngit clone --recurse-submodules https://github.com/qeeqbox/reflected-cross-site-scripting\n```\nRun the webapp using Python\n```sh\npython3 reflected-cross-site-scripting/vulnerable-web-app/webapp.py\n```\nOpen the webapp in your browser 127.0.0.1:5142\n\u003cp align=\"center\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/qeeqbox/reflected-cross-site-scripting/main/content/1.png\"\u003e\u003c/p\u003e\nOpen the network tab from the developer tools to examine the requests and responses\n\u003cp align=\"center\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/qeeqbox/reflected-cross-site-scripting/main/content/2.png\"\u003e\u003c/p\u003e\nIf you type the URL + test, it will take you to the test resourse (page), it does not exist but the test keyword gets embedded in the page\n\u003cp align=\"center\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/qeeqbox/reflected-cross-site-scripting/main/content/3.png\"\u003e\u003c/p\u003e\nA threat actor could embed a malicious payload and send it to a victim using social engineering attacks. If the victim falls for it, their browser will send the request to the webapp\n\u003cp align=\"center\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/qeeqbox/reflected-cross-site-scripting/main/content/4.png\"\u003e\u003c/p\u003e\nThen, the browser will execute a malicious payload\n\u003cp align=\"center\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/qeeqbox/reflected-cross-site-scripting/main/content/5.png\"\u003e\u003c/p\u003e\n\n## Code\nThis logic will check if the requested page has a route or exists, if it does not, then it will pass the requested page value to the msg_page() function\n```py\ndef do_GET(self):\n    ...\n    self.send_content(404, [('Content-type', 'text/html')], self.msg_page(f\"Error: The requested URL {urllib_parse.unquote(parsed_url.path)} was not found\".encode(\"utf-8\")))\n    ...\n```\nThe msg_page() function will embed the user value in the webpage\n```py\ndef msg_page(self, msg, prev=None):\n    with open(path.join(TEMPLATE_FOLDER,\"msg.html\"),\"rb\") as fi:\n        if prev:\n            return fi.read().replace(b\"{{msg-result}}\",msg).replace(b\"{{msg-prev}}\",prev).replace(b\"{{msg-page}}\",b\"Return\")\n        else:\n            return fi.read().replace(b\"{{msg-result}}\",msg).replace(b\"{{msg-prev}}\",b\"/\").replace(b\"{{msg-page}}\",b\"Home\")\n```\n ","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqeeqbox%2Freflected-cross-site-scripting","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fqeeqbox%2Freflected-cross-site-scripting","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqeeqbox%2Freflected-cross-site-scripting/lists"}