Skip to main content

Overview

This plugin detects when payloads appear in the response HTML (reflection). While not proof of XSS, reflection is often a precursor to exploitation—it shows that input is not properly sanitized.

Reflection vs Execution

DetectionConfidenceWhat It Proves
ReflectionMediumPayload appears in HTML
Execution (XSS)HighJavaScript actually ran
Use both for comprehensive coverage:
  • Reflection catches more potential issues
  • Execution confirms exploitability

Installation

npm install @vulcn/plugin-detect-reflection

Configuration

plugins:
  - name: "@vulcn/plugin-detect-reflection"
    config:
      enabled: true
      minPayloadLength: 4
      detectBody: true
      detectScript: true
      detectAttribute: true
      bodySeverity: low
      scriptSeverity: medium
      attributeSeverity: medium
      dangerousPatterns:
        - onerror
        - onclick
        - javascript:

Options

OptionTypeDefaultDescription
enabledbooleantrueEnable reflection detection
minPayloadLengthnumber4Skip payloads shorter than this
detectBodybooleantrueDetect reflection in HTML body
detectScriptbooleantrueDetect reflection in script context
detectAttributebooleantrueDetect reflection in attributes
bodySeveritystring"low"Severity for body reflection
scriptSeveritystring"medium"Severity for script reflection
attributeSeveritystring"medium"Severity for attribute reflection
dangerousPatternsstring[]See belowPatterns that increase severity

Default Dangerous Patterns

dangerousPatterns:
  - onerror
  - onclick
  - onload
  - onmouseover
  - onfocus
  - javascript:
  - eval(
  - document.write
  - innerHTML

Context Detection

The plugin analyzes where the reflection occurs:

Body Context

<div>
  Your search:
  <script>
    alert("XSS");
  </script>
</div>
Severity: Low (may be HTML-encoded)

Script Context

<script>
  var query = '<script>alert('XSS')</script>';
</script>
Severity: Medium (dangerous, likely exploitable)

Attribute Context

<input value="<script>alert('XSS')</script>" />
Severity: Medium (may break out of attribute)

Example Findings

Body Reflection

{
  "type": "reflection",
  "severity": "low",
  "title": "Payload Reflected in HTML body",
  "description": "Input payload was reflected back in the HTML body.",
  "evidence": "...Your search: <script>alert('XSS')</script>...",
  "metadata": {
    "detectionMethod": "reflection",
    "context": "body",
    "dangerousPattern": null
  }
}

Script Reflection with Dangerous Pattern

{
  "type": "reflection",
  "severity": "high",
  "title": "Payload Reflected in script context",
  "description": "Input payload was reflected in script context near dangerous pattern \"onerror\".",
  "metadata": {
    "detectionMethod": "reflection",
    "context": "script",
    "dangerousPattern": "onerror"
  }
}

Reducing False Positives

Minimum Payload Length

Short payloads like 1 or test may appear naturally in the page: 
minPayloadLength: 6 # Skip short payloads

Disable Body Detection

If you’re getting too many low-confidence findings: 
detectBody: false
detectScript: true
detectAttribute: true
For balanced detection: 
plugins:
  - name: "@vulcn/plugin-detect-xss"
    config:
      detectDialogs: true
      severity: high

  - name: "@vulcn/plugin-detect-reflection"
    config:
      detectBody: false # Skip low-confidence body reflection
      detectScript: true # Catch script context (dangerous)
      detectAttribute: true # Catch attribute context
      scriptSeverity: high # Upgrade script context to high
This focuses on high-value findings while reducing noise.