Qualys Guard WAS Scanner has just detected a new reflected XSS that I'm able to reproduce.
My question is about its exploitation (that seems difficult for me) that could lead to a severity mitigation...
The XSS consists in sending some malicious code in a parameter using HTTP GET.
Return data by the web server includes the malicious code but with a "text/plain" content type.
It means that a script element is returned as plain text content in the browser but isn't executed.
The service that is holding this XSS does usually respond to AJAX call from the browser, and speak JSON.
What do you think about this use case?