Reflected XSS

What is Reflected XSS?

Reflected XSS is a kind of cross-site scripting attack, where malicious script is injected into websites that are trusted or otherwise benign. Typically, the injection occurs when an unsuspecting user clicks on a link that is specifically designed to attack the website they are visiting. For example, on websites that rely on user-generated content like forums or comment sections, attackers may post malicious code that infects anyone who views it or clicks on it.

In a reflected XSS attack, a web application with an XSS vulnerability will allow potentially harmful data to be inserted into a routine transaction. For example, when a user sends a web request to a server by submitting a form, the application will respond with a page containing an echo of what the user has submitted for confirmation. A malicious piece of JavaScript can replace or append itself to the user’s entry, which the user inadvertently executes. A reflected XSS attack may also lure a victim into starting an HTTP request by clicking on a malicious link in an email or a counterfeit webpage that looks legitimate.

While these attacks are among the most frequent risks to application security, reflected XSS and cross site scripting prevention is rather simple when enterprises have the right tools.

Secure Coding Handbook

Get the Handbook

Stopping reflected XSS attacks with Veracode

As a global leader in application security testing solutions, Veracode provides a platform of cloud-based services for finding and fixing flaws such as reflected XSS vulnerabilities or Java SQL injection in applications you build, buy and assemble.

As a SaaS-based solution, Veracode provides application testing services on demand, enabling you to avoid capital expenditure for on-premise hardware and software. Code can be submitted via an online platform, with results returned within a matter of hours. That means development teams can easily integrate testing for reflected XSS vulnerabilities and other flaws into the software development lifecycle (SDLC). Veracode’s solutions also provide testing for third-party applications, open source components and web applications and websites that are already operational.

Download Veracode’s XSS Cheat Sheet, a summary of everything you need to know about reflected XSS vulnerabilities and other cross site scripting attacks.

Veracode services for finding reflected XSS vulnerabilities

Veracode offers comprehensive services that can help organizations meet web application security standards. These include:

  • Static Analysis services that scan binaries to find and fix flaws.
  • Veracode Static Analysis IDE Scan, a tool that provides application security feedback to developers as they write code.
  • Software Composition Analysis for identifying flaws like reflected XSS in open source components.
  • Vendor Application Security Testing for evaluating security risks in third-party applications.
  • Web Application Scanning that can identify vulnerabilities in all public-facing web sites and applications.


Learn more about avoiding a reflected XSS attack with Veracode, and about Veracode’s solutions for DevSecOps and for a CSRF token.

Get a Veracode Static Analysis IDE Scan Demo

Static Demo