Introduction

Cross-Site Scripting (XSS) is a client-side vulnerability that allows attackers to inject malicious JavaScript into web applications. When user-supplied input is reflected back into the response without proper sanitization, an attacker can execute arbitrary scripts in a victim's browser.

During manual testing, I discovered a reflected XSS vulnerability in a PHP endpoint that dynamically processes a files parameter.

Vulnerable Endpoint Overview

The application exposes the following endpoint:

None

The files parameter is intended to accept a file path or filename. However, the application trusts this input entirely and reflects it back into the HTTP response.

Security Issue

The application fails to implement the following security controls:

  • Input validation
  • HTML character sanitization
  • Output encoding before rendering user input

To test for XSS, I modified the files parameter to include HTML content. The following payload was used as a safe proof-of-concept:

<img src=x onerror=alert('I_AM_HERE_!!!')>

This payload does not access cookies or sensitive data. It simply verifies JavaScript execution.

None

The payload was URL-encoded and appended to the request. This image highlights the injected HTML payload inside the files parameter. The server receives this value without filtering and the application performs no input validation on the files parameter. and it's reflected in the response

None

Root Cause:

User input is rendered into the HTML response without escaping special characters such as <, >, or 'This allows the browser to interpret the injected input as real HTML instead of plain text.

This below image illustrates that the injected <img> tag is reflected directly in the server's response.

None

Seeing the alert appear confirms that the injected JavaScript is being executed directly in the browser of the vulnerable domain.

Impact

  • Execute arbitrary JavaScript in a victim's browser
  • Steal session cookies or tokens
  • Deliver malware via trusted application pages

Conclusion

A unsanitized parameter can lead to client-side attacks such as reflected XSS. Proper input validation, strict output encoding, and defense-in-depth security controls are essential to prevent such vulnerabilities. All user input should be treated as untrusted and safely encoded before being rendered in HTML responses.

Note: The affected domain has been redacted as part of responsible disclosure.