Reflected Cross-Site Scripting (XSS, multi-context)

What it is

Unescaped reflection of user input enabling JavaScript execution in victims' browsers. Probed across HTML, attribute, script, and title contexts with context-aware payloads.

How attackers abuse it

An attacker gets your page to run their JavaScript in your visitors' browsers. They can steal sessions, capture what users type, deface the page, or trick users into actions, all while it looks like your site.

Attacker playbook

1. 1Find a spot where input is echoed back into the page (search, comments, profile fields).
2. 2Inject a script payload and confirm it executes in the browser.
3. 3Weaponize it to steal session cookies or perform actions as the victim.

How VibeSec detects and confirms it

VibeSec tests for this with an active scan, which runs only on targets you confirm you own or are authorized to test. We detect and confirm it using VibeSec native, XSStrike, OWASP ZAP and Wapiti. When a payload actually proves the issue, it is reported as a confirmed finding rather than a guess.

If this is in your report: how to fix it

• Encode output for the right context (HTML, attribute, JS) so input renders as text, not code.
• Use a framework that escapes by default and avoid dangerous sinks like innerHTML.
• Add a Content Security Policy as a strong second layer of defense.