๐Ÿ”ด Reflected XSS Lab

innerHTML-Based Vulnerability

Home > Reflected XSS
โš ๏ธ FOR EDUCATIONAL PURPOSES ONLY - DO NOT USE ON REAL SYSTEMS

๐Ÿ“š What is Reflected XSS?

Reflected Cross-Site Scripting (XSS) occurs when user input is immediately returned by a web application without proper sanitization or encoding. The malicious script is "reflected" off the web server in the response.

In this lab, we use innerHTML to display user input directly, which allows HTML and JavaScript to be executed in the browser context.

๐Ÿงช Try It Yourself

Output:

๐Ÿ’ก Try These Payloads

Copy and paste these into the input field to see the vulnerability in action:

<img src=x onerror=alert('XSS')>
<script>alert('Reflected XSS!')</script>
<img src=x onerror="alert(document.cookie)">

๐Ÿ” Understanding the Vulnerability

Vulnerable Code:

// โŒ VULNERABLE: Using innerHTML with user input
const output = document.getElementById('output');
output.innerHTML = 'Welcome, ' + userInput + '!';

The problem: innerHTML parses the string as HTML, so any HTML tags or JavaScript in the user input will be executed.

Secure Code:

// โœ… SECURE: Using textContent instead
const output = document.getElementById('output');
output.textContent = 'Welcome, ' + userInput + '!';

// โœ… SECURE: Or create text node
const textNode = document.createTextNode(userInput);
output.appendChild(textNode);

// โœ… SECURE: Or use DOMPurify library
const clean = DOMPurify.sanitize(userInput);
output.innerHTML = 'Welcome, ' + clean + '!';

โš ๏ธ Real-World Impact

๐Ÿ”’ Prevention Techniques