A hands-on Cross-Site Scripting (XSS) walkthrough on VulnLab by Yavuzlar, covering real-world attack scenarios, bypass techniques, and secure remediation guidance.

🔗 Lab: https://github.com/Yavuzlar/VulnLab ⚠️ All testing was performed in a local, authorised lab environment for educational purposes only.

Do you know why VulnLab Is Important for Beginners

VulnLab is an excellent learning repository for beginners because it covers a wide range of real-world web vulnerabilities in one lab, including:

  • XSS
  • SQL Injection
  • XXE
  • File Inclusion (LFI/RFI)
  • IDOR
  • Command Injection
  • Unrestricted File Upload
  • CSRF
  • Insecure Deserialization
  • Broken Authentication
  • Race Condition
  • SSTI
  • API Hacking
  • CAPTCHA Bypass
  • Path Traversal

Instead of focusing on flags, VulnLab helps beginners learn how to identify vulnerable input points, understand insecure data flow, and analyse application behaviour. Each module demonstrates common developer mistakes, making it easier to recognise similar vulnerabilities in real-world applications.

VulnLab is especially useful for those preparing for VAPT roles, bug bounty programs, and web security assessments, as it promotes a practical, methodical approach to vulnerability identification and reporting.

Follow these steps to set up the lab on your local machine:

  1. Clone the repository: git clone https://github.com/Yavuzlar/VulnLab
  2. Build Docker image:

docker build -t yavuzlar/vulnlab .

3. Run container:

docker run -d -p 1337:80 yavuzlar/vulnlab

4. Access the lab in your browser:

http://localhost:1337

1. Reflected XSS — Search Function

None
The search functionality reflects user input directly into the response without proper output encoding.

Payload used:

<script>alert(1)</script>

Once submitted, the JavaScript executes immediately.

None

Severity: Medium CVSS: 6.1 — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

2. Stored XSS — Comment Section

None
User comments are stored server-side and rendered to all users without sanitization.

Payload:

<script>alert(1)</script>

The alert executes every time the page loads, even after submitting normal messages later.

None

Severity: High CVSS: 6.8

3. DOM-Based XSS — Area of Triangle

The application processes height and base parameters directly in client-side JavaScript.

None

Payload:

?height=10;alert(1);&base=10

JavaScript executes entirely on the client side without server involvement.

None
Payload is in the URL

Severity: Medium CVSS: 6.1

4. HTML Attribute Injection — No User Interaction

User input is injected into an HTML attribute without encoding.

None

Payload:

" autofocus onfocus=alert(1) x="

Why this works:

  • Breaks the attribute context
  • autofocus triggers automatically on page load
  • onfocus executes JavaScript
None

Severity: High CVSS: 7.2

5. DOM + Attribute XSS — Image Gallery

The image gallery reads the img parameter from the URL and injects it into an <img> attribute.

None

Payload:

?img=" onerror=alert(1) x="

When the image fails to load, the onerror handler executes.

None

Severity: Medium CVSS: 6.1

6. Stored XSS via User-Agent — Admin Panel

The application logs the User-Agent header and renders it in the admin panel without sanitisation.

None

Injected header (via Burp Suite):

None
User-Agent: "><img src=x onerror=alert(1)>

The payload is stored in logs and executes when an admin views them.

None

Severity: High CVSS: 8.8

7. Stored XSS via JavaScript URI — News Feature

Although HTML characters are escaped, the URL field does not validate dangerous URI schemes.

None

Payload:

javascript:alert(1)
None
When any user clicks the link, JavaScript executes.
None

Severity: Medium CVSS: 6.8

8. Stored XSS via File Upload — Malicious Filename

The application validates file type but fails to sanitise filenames before rendering them.

None

Malicious filename:

None
"><svg onload=alert(1)>.jpg

The SVG payload executes when the uploaded file is displayed.

None

Severity: High CVSS: 7.2