Cross-Site-Scripting - Reflected (JSON)

Published: 17 May 2019 at 19:55 UTC | Updated: 06 June 2021 at 10:43 UTC
Published: 17 May 2019 at 19:55 UTC Updated: 06 June 2021 at 10:43 UTC

This is the demonstration of Cross-scripting - Reflected attack on JSON response and for this demo, I'll be using bWAPP which is a buggy web application and we can use to test various vulnerabilities in the web.

bWAPP Official Link:-

Now please choose Cross-site-Scripting - Reflected (JSON ) from the drop-down menu and click Hack.

As you can see here on this web page one input box is there and it's asking the user to enter movie name. So let's enter a movie name, for example, Skyfall and click Search.

Now you can see here Movie name is reflecting in both address bar and on the webpage and if the output got reflected on the address bar or on the web page then we can inject our payload. So let's try to inject our payload.


And click Search. We will try to display the movie name on an alert dialogue box.

As you can see our payload didn't work so one thing you always remember that whenever the output reflected on the webpage first thing try to check the view page source of that web page in that way you can able to understand the DOM structure of that particular HTML element. And then only you can able to inject your payload.

Now you can see above our entire statement is within double quotes and when the web page executed from the top and when it reaches to the <script> tag and you can see the first statement is not yet close and we are trying to inject our JavaScript code, so in order to execute our payload first we need to close the current statement and inject our payload as a new statement in that way we can able to execute our current payload.

Steps to create the payload

Step 1


Close all opening/closing curly braces, square brackets and single quote and remember to add the semicolon at the end of the statement to terminate the statement.

Step 2


This will be our payload because it's already started one <script> tag so no need to start another <script> tag again and only we need to show the alert dialogue and close the </script> tag.

As you can see we are able to show the movie name on an alert dialogue box. So in this way, we need to understand the DOM (Document Object Model) of the web page and after that, you can able to inject your payload.

How do we prevent this type of attack?

  1. Encode unsafe characters in the response
  2. On every Http request set the Content-Type to application/json, and set X-Content-Type-Options: nosniff so that it will instruct the browsers to disable the MIME sniffing.

For more information please follow the below links.

  1. Testing for AJAX Vulnerabilities (OWASP-AJ-001)
  2. XSS (Cross Site Scripting) Prevention Cheat Sheet
  3. OWASP Top 10 for JavaScript - A2: Cross Site Scripting - XSS

Thank you for reading this post and Happy Hacking :)