Lab 1: Reflected XSS into HTML context with nothing encoded

 

1. What the Lab Is About (Simple Summary)

This PortSwigger lab demonstrates reflected Cross-Site Scripting (XSS) in a page where:

  • The server takes user input from the URL

  • The page injects that input directly into HTML

  • Nothing is encoded or sanitized

Because of that, an attacker can craft a link that makes the browser run unintended JavaScript.

The lab goal:
➡️ Inject a harmless script payload to show an alert.

๐Ÿง  2. Analogy: “The Classroom Announcer”

Imagine a teacher who reads out all messages handed to them, exactly as written, without checking.

If a student writes:

“Today’s homework is canceled!”

…the teacher reads it out loud, even though it wasn’t real.

This lab is the same idea:
The website takes whatever the user writes (in the URL) and announces it inside the page without checking.

If someone adds:

"><script>alert('XSS')</script>

…then the “teacher” (browser) reads it out loud and executes it.

๐Ÿ” 3. How the Vulnerability Works

The page contains HTML like this:

<p>You searched for: <span id="q">USER INPUT HERE</span></p>

If the developer inserts the value like this:

<span id="q"><?php echo $_GET['search']; ?></span>

…then dangerous characters like " < > are not encoded.

This allows the user to break out of the HTML context and inject script.

๐Ÿงช 4. Steps of Exploitation (Student-Friendly)

  1. Find where user input appears on the page

    • In the search box, or URL parameter like ?search=abc.

  2. Confirm the page reflects the input

    • Change the value and reload.

    • If the text appears unchanged → potential XSS.

  3. Test for HTML injection
    Try breaking the HTML context:

    "
'
>

  4. Inject a harmless script payload
    Example (the lab’s goal):

    <script>alert(1)</script>

  5. Submit the payload
    If the alert pops, the lab is solved.

๐Ÿงจ 5. Example of Vulnerable Code (Analogous to the Lab)

<?php
$search = $_GET['search'];
echo "<p>You searched for: $search</p>";

Why this is vulnerable:

  • User input is inserted directly into HTML

  • No encoding

  • No sanitization

  • Browser interprets malicious HTML/JS

๐Ÿ›ก️ 6. How to Fix the Bug Properly

✔️ Safe Fix: HTML Escape Output

In PHP:

<?php
$search = htmlspecialchars($_GET['search'], ENT_QUOTES, 'UTF-8');
echo "<p>You searched for: $search</p>";

This converts dangerous characters:

  • <&lt;

  • >&gt;

  • "&quot;

The browser displays them but does not execute them.

✔️ Alternative Fixes (High-Level)

  • Use frameworks that auto-escape output (React, Django, Ruby on Rails)

  • Avoid mixing HTML and user data

  • Validate input when applicable

  • Set strong Content Security Policy (CSP) (defense-in-depth)

๐Ÿ“˜ Summary (One Sentence)

This lab teaches that when user input is placed inside HTML without encoding, the user can inject markup or script, and the fix is to properly escape output before rendering it in the page.


References:

https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded

Comments

Post a Comment

Popular posts from this blog

SQL Injection Attacks | Shahul Hameed

Image
Lab 1:   SQL injection UNION attack, determining the number of columns returned by the query Introduction      This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.      To solve the lab, determine the number of columns returned by the query by performing an  SQL injection UNION  attack that returns an additional row containing null values. Solutions: Use Burp Suite to intercept and modify the request that sets the product category filter. Modify the  category  parameter, giving it the value  '+UNION+SELECT+NULL-- . Observe that an error occurs. Modify the  ...
Read more

To use emulator(Using NOX emulator): Open Appie Application | Shahul Hameed

Image
To use emulator(Using NOX emulator): Open Appie Application Tools Requirements 1. Appie tool 2. Burp certificate 3. Frida Server Step 1: $ cd C:\Appie\bin\adt\sdk\platform-tools Step 4 – 6 One time steps we have to do for new devices or emulator. Step 2: $ .\adb.exe connect 127.0.0.1:62001 Step 3: $ adb devices Step 4: $ adb push fridasslandroot.js / data/local/tmp Step 5: $ adb shell chmod 777 / data /local/tmp/frida-server Step 6: $ adb push cacert.der /data/local/tmp/cert-der.crt Step 7: Run frida server $ adb shell /data/local/tmp/frida-server & Step 8: Open new tab in APPIE and execute below command: Finally you are unpinned and execute application in rooted mobile. $ frida -U -f <Your-Package-Name> -l C:\Appie\bin\adt\sdk\platform-tools\fridasslandroot.js --no-paus $ frida -U -f com.test.demo -l C:\Appie\bin\adt\sdk\platform-tools\fridasslandroot.js --no-paus
Read more

Pentest - Web Application Vulnerability Scanner | Shahul Hameed

Image
 W eb Application Vulnerability Scanner  Tool Name:  NUCLEI   Description      Nuclei are used to send requests across targets based on a template, leading to zero false positives and providing fast scanning on a large number of hosts. Nuclei offer to scan for a variety of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless, etc. With powerful and flexible templating, Nuclei can be used to model all kinds of security checks.           Nuclei are a fast, template-based vulnerability scanner focusing on extensive configurability , massive extensibility, and ease of use. Installation & Demonstration Usage:      CMD : nuclei -h Step 1:      Download and install before use nuclei Go lang in kali linux      CMD : sudo apt-get update & sudo apt-get upgrade      CMD: sudo apt-get install -y golang Step 2:      Download and in...
Read more