Post cover image

June 29, 2026

Cybersecurity Practice Lab 3

XSS (Cross-site scripting)

By Akhil Thakur

4 min read

This contains 5 labs of XSS vulnerability penetration

So XSS means the user side script which is usually comments or something that a user or you upload on web and seen by others

So 1st lab is about

Reflected XSS into HTML context with nothing encoded

So this lab is about exploiting the XSS vulnerability with the simplest form which is using simple HTML that work directly used in system to execute a command so in this we have to execute the alert command so we will use this command

<script>alert(1)</scripts>

so type this command anywhere on this website where you can type or others can see it can be search box , comment box so try it yourself

Note:- So in case of comment box type that command and type after whatever they are asking or whatever put anywhere and in case of website there put genuine link of any website there like www.google.com

So 2nd lab is about

Stored XSS into HTML context with nothing encoded

So this lab is same as previous so try that command in search box , comment box wherever you get something to type

So 3rd lab is about

DOM XSS in innerHTML sink using source location.search

So DOM (Document object Model) is the internal map of the webpage so everything is connected like everything connected like branches of a tree can be seen and we can take advantage of that and innerHTML is used to pass the strings as raw HTML without validating or sanitizing it and location.search is property of browser's [Location object (provide information of current URL)] which is used to pass data or parameters to web and sink means to put something into and source means where to put

So this whole means is that we are going to enter the web nodes by make our data a node itself so we get the access of data in the web connected to the nodes from our data node

So now we can't use innerHTML directly because no doubt they have a security for it because of behavior of not doing sanitize itself so we will now use a command with a little trick

<img src=x onerror=alert(1)>

(<) — opening of a command ; img — image; src — source; (=) — to assign a string; x — assigned string; onerror — after getting error; (=) — to assign a string; alert(1) — it is something we have to execute;(>) — closing of a command which all means that we are going to send a image that doesn't exist and just because that we have also provided the alternative if error happens which is alert(1) which is the command we want to execute

So try this command in any box where you can type or other can see it and this is the exact command so now you just have to try it that's all

So 4th lab is about

DOM XSS in document.write sink using source location.search inside a select element

So in this lab way of entering in the web node is document.write is used to write strings as raw HTML and by using that we going to exploit the XSS vulnerability

So for this we write that raw string to pass and so for this we will use this command

&storeId= "></select><img src=x onerror=alert(1)>

(&) — to indicate that we are giving another input; (=) — to assign a string; x — assigned string; (">) — it is used so that we can close the the code and get out of the intended code; — it is used to close the drop down menu that is started when the website loaded so that we can give our own command that will actually takes as another command instead of part of inside of URL page; (<) — opening of a command ; img — image; src — source; (=) — to assign a string; x — assigned string; onerror — after getting error; (=) — to assign a string; alert(1) — it is something we have to execute;(>) — closing of a command which all means that we are entering our command inside the URL and will work outside of URL so that we can enter the node by becoming the node

So type this command after clicking any product and then in the URL box you will see like this https://0a8800ee04fdfba78046d5e200260069.web-security-academy.net/product?productId=1 so just put my command just after that because in this webpage we don't get any box or input holder where we can enter so will use the URL box to do that

So our 5th lab is about

DOM XSS in jQuery anchor href attribute sink using location.search source

So jQuery is JavaScript query and anchor is the something that let the web connected together like anchor in real life holding a big ship containing multiple rooms and href is an attribute which is used to execute the command it is used in the codes to execute something and can be exploited if it doesn't get validated or sanitized

So we will exploit a vulnerability using href attribute by using this command

?returnPath=javascrtipt:alert(1)

(?) — it is used as if/else statement in JavaScript and will separate the parameter from rest of URL ; returnPath — it is a header field that tells the mail server where to send delivery failure instructions; (=) — to assign a string; javascript — it is used to execution of code; (:) — used to assign the code or command ; alert(1) — it is the command or code

So because of using returnPath which is used in params.get('returnPath') so this command will take returnPath value and put that in the href just because it contains javascript and whatever is written after Java Script will execute as a command so href will execute it on that webpage and its done so put this command in the URL

So as you know what is this process so just use F12 for using developer mode and use inspect tool which is in 1st place to inspect the webpage and inspect until you find href in any of the block so hover that inspect tool like on submit feedback or home until you find href in any of the code block on element tab on developer mode and when you find it click it then after that you will see URL like this https://0a1300a403dcd98e81c5e8fa008f006d.web-security-academy.net/feedback?returnPath=/ so just remove this (/) and put that javascript part (javascript:alert(1)) and then its done

All labs | Web Security Academy