Share
## https://sploitus.com/exploit?id=81A6158E-0E37-5767-9802-0D9287FC1257
# Lab: Reflected XSS in HTML context without encoding  

> **Difficulty**: APPRENTICE  
> **Source**: [PortSwigger Web Security Academy](https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded)  

---  

## Description of the vulnerability  

This lab demonstrates the most basic form of **Reflected XSS**. The server directly embeds the user’s search query into the HTML response, without any encoding or filtering. This allows attackers to execute arbitrary JavaScript in the victim’s browser.  

---  

## Attack process  

1. Open the search box on the lab homepage.  
2. Enter the following payload and click **Search**:  
   ```html
   alert(document.domain)
   ```  
3. The server embeds the payload unchanged into the HTML. The browser parses and executes the `alert` tag.  
4. An `alert` dialog box is displayed. The lab is marked as **Solved**.  

---  

## Detection script `xss_lab1.py`  

This automated script sends an XSS payload and checks whether the response contains unencoded payloads.  

### Environment requirements  

- Python 3.x (No third-party packages required)  

### Creating a virtual environment  

```powershell
python -m venv venv
.\venv\Scripts\Activate.ps1
```  

### Running the script  

```powershell
python xss_lab1.py https://.web-security-academy.net/
```  

### Example script output  

```
============================================================
XSS Detection — Reflected XSS (HTML context, no encoding)
============================================================
Target URL: https://xxxx.web-security-academy.net/
Payload: alert(document.domain)
Query URL: https://xxxx.web-security-academy.net/?search=%3Cscript%3Ealert%28document.domain%29%3E
------------------------------------------------------------
HTTP Status Code: 200

[Vulnerability confirmed] Unencoded payload found in the response! There is a Reflected XSS vulnerability:
       alert(document.domain)

Conclusion: ✅ The XSS payload was directly reflected in the front end, without any encoding or filtering. Attackers can execute arbitrary JavaScript in the victim’s browser.

```
---  

## Recommendations for protection  

| Method | Description |
|-------|--------------|
| **HTML entity encoding** | Convert ``, `"`, `'`, `&` to their corresponding entities before outputting them to HTML. |
| **Content Security Policy (CSP)** | Restrict the sources of executable scripts. |
| **Input validation** | Reject or clean inputs containing special characters like `&`.  

---  

## File structure  

```
. ├── xss_lab1.py      # Automated XSS detection script
├── README.md        # This readme file
└── ATTACK_REPORT.md # Vulnerability report
```

[source-iocs-preserved url=https://xxxx.web-security-academy.net/?search=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E]