Cross-site-Scripting — Reflected (EVAL & HREF)

This is the demonstration of Cross-Site-Scripting attack in eval function and Hypertext reference and for this demo, I’ll be using bWAPP and bWAPP is a buggy web application and we can use to test various vulnerabilities in the web.

bWAPP Official Link:-

How to perform a Cross-Site Scripting attack in eval function?

Now please choose Cross-site-Scripting — Reflected (Eval) from the drop-down menu and click Hack.

What is eval?

eval() is a global function in JavaScript and it evaluates a JavaScript expression, variable, statement, or sequence of statements as JavaScript code and after that, it executes that piece of code.

As you can see the date function is being used to display the current date of my computer and this Date() function is an example of eval() and as it’s an eval function so we can write alert() function also.


As you can see it’s executed the alert() function.

How to prevent this attack?

The better way to prevent this attack is you should n’t be using eval() at all while developing a website and as per the Mozilla developer documentation it’s very dangerous unction and it could be used by the third party for malicious purposes. And also it slow because it has to invoke JS interpreter to execute the code.

For more information please check out Mozilla developer documentation:-

How to perform a Cross-Site Scripting attack in hypertext reference?

Now please choose Cross-site-Scripting — Reflected (HREF) from the drop-down menu and click Hack.

In this demo what it does, it takes the input from the first screen and displays it on the second screen.

So on my first screen, I enter my name “Anshuman” in the input box and it will reflect on the next screen.

As you can see on the second screen my name reflecting on the web page and as it’s reflecting we can inject JavaScript code.

In order to inject JavaScript code first, we need to check the DOM structure of that particular HTML element.

So right click on the webpage and choose view page source to check the source code of this particular webpage.

As you can see my name is reflecting and in order to inject the code first, we need to close this greater than and less than angular parenthesis then we can inject <script> tag.

So the final payload will be as below.


So as you can see we are able to inject JavaScript code inside hypertext reference. And to prevent this it requires proper sanitization of special characters then we can prevent this attack

For more information


I hope you guys like this post-bye bye for now

Happy Hacking :)

Python | Application Security | Web Security | Cybersecurity | Software Development