🎯 TL;DR:

Typed <script>alert(1)</script> in a search box β†’ clicked "Search" β†’ πŸ’₯ JavaScript executed right in the browser. Why? No sanitization, no encoding. Just pure DOM injection. Let's break it down πŸ‘‡

πŸ“Έ Live Proof:

None
None

🧠 What's This Lab About?

This PortSwigger lab is a classic example of Reflected Cross-Site Scripting (XSS) in its rawest form β€” where the app reflects your input directly into the HTML page without encoding or filtering.

πŸ”Ž Step-by-Step Walkthrough:

βœ… 1. Loaded the Lab

  • Lab title: Reflected XSS into HTML context with nothing encoded
  • Simple blog-style page with a search bar

βœ… 2. Entered This Payload:

<script>alert(1)</script>

Typed it directly into the search input box (not the URL bar)

βœ… 3. Clicked "Search"

The payload was reflected back into the page's HTML πŸ‘€

βœ… 4. Boom πŸ’£ β€” Alert Triggered

Browser treated the input as real JS and executed the alert. Congrats, you just popped an XSS! πŸŽ‰

πŸ’₯ Why It Worked

  • App didn't sanitize or encode input
  • The HTML response inserted this:
<p>You searched for: <script>alert(1)</script></p>
  • <script> was parsed + executed as JS by the browser

Result? β€” Your script ran exactly as written 😈

πŸ§ͺ Real-World Damage Potential:

This vulnerability might look basic, but it can lead to:

  • Credential theft
  • Session hijacking
  • Full account takeover
  • Self-replicating JS worms πŸͺ±

It's the kind of bug that bug bounty hunters dream about.

πŸ” How to Fix It:

  1. Escape all dynamic input reflected in HTML using proper libraries
  2. Sanitize any user input with tools like DOMPurify
  3. Implement Content Security Policy (CSP)
  4. Avoid using .innerHTML when .innerText or .textContent will do

βœ… Final Thoughts

Sometimes the simplest payloads expose the biggest flaws.

This lab shows exactly why understanding basic XSS can give you an edge in CTFs, bug bounties, and even real-world pentests. Never overlook the classics πŸ”₯

None

πŸ“£ Follow Me β€” Let's Build Together 🧠⚑

I'm building RootPwn to help others learn, grow, and pwn the web ethically.

πŸ”— YouTube (Video Tutorials): https://www.youtube.com/@RootPwn

πŸ“Έ Instagram (Reels + Carousels): https://www.instagram.com/rootpwned/

✍️ Medium (Walkthroughs): https://medium.com/@RootPwned

πŸ’» GitHub (Tools + Scripts): https://github.com/sumanth192

🐦 Twitter/X (Threads + Payloads): https://x.com/RootPwned

πŸ’Ό LinkedIn (Professional content): https://www.linkedin.com/in/rootpwned/

#XSS #ReflectedXSS #BugBounty #WebSecurity #EthicalHacking #PortSwigger #OWASPTop10 #CEH #RootPwn #CTF #TryHackMe #HackTheBox #JavaScriptInjection #CyberSecurity #SearchBoxHack