Here’s how reflected XSS is born.
You reject a bad request.
You return a helpful error message.
You include the exact payload the user sent.
Congratulations — your API just became a content delivery network for alert(1).
In this case, Rentgen injected a toxic payload into the request body and checked two simple things:
- Did the API reject it properly (400 / 422)?
- Did it avoid echoing the payload back in the response?
Result: 🟢 Pass.
But here’s the uncomfortable truth — many APIs don’t.
“Relax, we return JSON only.”
Great. JSON still gets rendered somewhere: admin dashboards, WebViews, internal tools, logs, support portals. The moment someone does innerHTML = error.message, your “helpful” mirrored input becomes executable.
This isn’t a hacker problem.
It’s a tired-developer-copy-paste problem.
If your API echoes raw user input in error responses, you’re one UI shortcut away from reflected XSS.
Reject bad input.
Don’t mirror it back.
Ever.
Full breakdown and technical details here:
👉 Read the full article: https://rentgen.io/api-stories/reflected-payload-safety.html
Top comments (0)