Reflected XSS

Reflected XSS Lab

This lab demonstrates a reflected XSS flow where a search-style interface reads user input from the URL and reflects it into the page. The goal is to move from a URL parameter into executable browser behavior through a weak filter.

Objective Exploit reflected input Use the request parameter to reach JavaScript execution.

Difficulty Beginner to Intermediate Obvious payloads struggle, cleaner payloads win.

Flag Unlock on solve Successful execution reveals the challenge flag.

Try It Yourself

Use the query parameter

This lab reads input from ?q= and reflects it back into the page. Use the console below or edit the URL directly.

Parameter?q=your_input_here
Test Surface?q=payload_here

Hint: Focus on how the browser interprets the final rendered markup, not just on the specific strings the page tries to remove.

Filter Logic

What the page tries to block

The filter removes broad script references and replaces the word alert. It looks defensive but still leaves a practical bypass route.

replace(/script/gi, "")
replace(/alert/gi, "blocked")

Lab Console

Launch a payload

Use the internal console to test payloads and sync them into the current page URL.

Current request: ?q=

Reflected output preview

Vulnerable Reflection

Output

The search result is written into innerHTML and mirrored in a debug line as a second reflection point.

No input provided.

Status: waiting for query input.

Flag Unlock

Challenge flag

Once you trigger the right execution path, the flag appears here.

Flag:

Submit Flag

Validate completion

Submit the exact flag to unlock the completion modal and continue to the next room.

Flag is locked until you trigger the challenge condition.

Execution Path

How reflected XSS happens here

1. Read query

The page pulls attacker-controlled data from ?q=.

2. Weak cleanup

Only a few obvious patterns are changed, which creates false confidence.

3. Reflect into HTML

The resulting string is rendered as HTML, which creates execution paths.