https://github.com/qeeqbox/reflected-cross-site-scripting

A threat actor may inject malicious content into webapp. The payload is reflected in the HTTP request and response, then executed in the victim's browser
https://github.com/qeeqbox/reflected-cross-site-scripting

cross infosecsimplified metadata qeeqbox reflected scripting site visualization vulnerability xss

Last synced: 3 months ago
JSON representation

A threat actor may inject malicious content into webapp. The payload is reflected in the HTTP request and response, then executed in the victim's browser

• Host: GitHub
• URL: https://github.com/qeeqbox/reflected-cross-site-scripting
• Owner: qeeqbox
• License: agpl-3.0
• Created: 2022-04-28T04:20:40.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2025-07-28T00:44:02.000Z (11 months ago)
• Last Synced: 2025-07-28T02:31:22.973Z (11 months ago)
• Topics: cross, infosecsimplified, metadata, qeeqbox, reflected, scripting, site, visualization, vulnerability, xss
• Homepage:
• Size: 2.01 MB
• Stars: 3
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
 


An application enables users to control the Document Object Model (DOM) environment. A threat actor can exploit this feature by injecting a malicious payload into a trusted web application. When users interact with this malicious payload, their browsers execute it. This vulnerability is reflected in the HTTP request or response and occurs on the client side.

Clone this current repo recursively

```sh

git clone --recurse-submodules https://github.com/qeeqbox/reflected-cross-site-scripting

```

Run the webapp using Python

```sh

python3 reflected-cross-site-scripting/vulnerable-web-app/webapp.py

```

Open the webapp in your browser 127.0.0.1:5142

 

Open the network tab from the developer tools to examine the requests and responses

 

If you type the URL + test, it will take you to the test resourse (page), it does not exist but the test keyword gets embedded in the page

 

A threat actor could embed a malicious payload and send it to a victim using social engineering attacks. If the victim falls for it, their browser will send the request to the webapp

 

Then, the browser will execute a malicious payload

 


## Code

This logic will check if the requested page has a route or exists, if it does not, then it will pass the requested page value to the msg_page() function

```py

def do_GET(self):

    ...

    self.send_content(404, [('Content-type', 'text/html')], self.msg_page(f"Error: The requested URL {urllib_parse.unquote(parsed_url.path)} was not found".encode("utf-8")))

    ...

```

The msg_page() function will embed the user value in the webpage

```py

def msg_page(self, msg, prev=None):

    with open(path.join(TEMPLATE_FOLDER,"msg.html"),"rb") as fi:

        if prev:

            return fi.read().replace(b"{{msg-result}}",msg).replace(b"{{msg-prev}}",prev).replace(b"{{msg-page}}",b"Return")

        else:

            return fi.read().replace(b"{{msg-result}}",msg).replace(b"{{msg-prev}}",b"/").replace(b"{{msg-page}}",b"Home")

```