M_02/ A03:2021 — Injection

Cross-Site Scripting (XSS)

Submit a payload and watch a browser parse it. The simulator never executes scripts — it shows you the parse tree, the would-be sink, and the safe escaped alternative.

Payload bounces off the server inside the response — delivered via crafted URL.

1.0 Post Composer

Payload presets

2.0 Server-Side & Browser LogicVulnerable

https://feed.local/post/42INNERHTML

@user · just now

<img src=x onerror="alert(1)"> would execute

Vulnerable sink

res.send(
  `<h2>Results for: ${req.query.q}</h2>`);

Safe sink

<h2>Results for: {q}</h2>
// auto-escape + CSP

HTML entity encoding (what escaping does)

&lt;img src=x onerror=&quot;alert(1)&quot;&gt;

DOM tree (what the parser would build)

├─ <img src=x onerror="alert(1)">

3.0 Intelligence

What just happened

Payload reaches a innerHTML (from query param) sink. The browser would create real elements (and attach event handlers) when the response is parsed.

Logical flow

01Attacker crafts a URL with payload in a query parameter.
02Server reflects payload into the response HTML unescaped.
03Browser parses the response; payload becomes live DOM nodes.
04Event handlers run in the victim's origin → cookies, tokens, DOM all reachable.

Risk

Critical

OWASP

A03

Script tag

Event handler attribute

javascript: URL

Attribute breakout

↳ What the developer intended

Echo the search term back in a results header.

↳ What the runtime actually executes

Payload merges into the HTML stream. The parser builds: <img>.

Attack flow — reflected XSS

Attacker

crafts URL with <script>

Victim

clicks the link

Server

reflects param into HTML

Browser

parses HTML

DOM Sink

innerHTML executes

Attacker C2

receives cookies