From a75adbeb4a560d5874519f98500972bf51df3cf4 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Fri, 27 Mar 2026 17:20:52 +0100
Subject: Add reflected XSS solution

---
 Reflected XSS/Resources/notes.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 Reflected XSS/Resources/notes.md

(limited to 'Reflected XSS/Resources/notes.md')

diff --git a/Reflected XSS/Resources/notes.md b/Reflected XSS/Resources/notes.md
new file mode 100644
index 0000000..ce4de77
--- /dev/null
+++ b/Reflected XSS/Resources/notes.md	
@@ -0,0 +1,12 @@
+## Exploit
+
+1. There is a clickable image that links to `http://10.0.2.15/?page=media&src=nsa`
+1. The application uses the `src` query parameter as the value of the `data` attribute of an `<object>` element **without validation**
+1. Thus, one can exploit XSS by supplying a `data:` URL instead of the expected image reference (nsa) in `src`
+1. Request `curl "http://10.0.2.15/?page=media&src=data:text/html;base64,$(echo -n '<script>alert(123)</script>' | base64)" | grep flag` to get the flag.
+
+## Fix
+
+[https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html]()
+
+Do not place untrusted user input directly into the `data` attribute of an `<object>` element. Only allow strict server-side mapping to expected media resources, and reject dangerous schemes such as `data:` and `javascript:` (i.e. sanitize user input).
-- 
cgit v1.2.3