Reflected XSS
User input echoed into the page without escaping runs as code in the browser. Drill finding the unescaped reflection and firing a payload.
Locate where your input is reflected into the response and in what context — HTML body, an attribute, a script block. The context dictates the breakout.
Craft a payload that escapes that context and executes, then prove impact. Variants change the reflection context and any filtering so you adapt the payload instead of pasting one string.
How the attack works
- Inject a unique marker and find where it is reflected unescaped.
search=xss7919 - Break out of the reflection context with a script tag.
"><script>alert(document.domain)</script> - If tags are filtered, fall back to an attribute / event-handler vector.
" onmouseover=alert(1) x=" - Confirm execution in the browser to capture the flag.
On PwnKata the binary, account, and paths change every rep — so you drill the recognition, not this exact command.
What you'll practice
Sourced from
Reflected XSS
User input echoed into the page without escaping runs as code in the browser. Drill finding the unescaped reflection and firing a payload.
Recover the flag at /root/flag.txt and submit it.
Drill this now
Spin up a live isolated target and start practicing in seconds — free.