TL;DR
Insert
<script>alert(1)</script>in the search functionality. Note that the lab is solved using the specificalert(1).
Learning Material
Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.
Suppose a website has a search function which receives the user-supplied search term in a URL parameter:
https://insecure-website.com/search?term=giftThe application echoes the supplied search term in the response to this URL:
<p>You searched for: gift</p>Assuming the application doesn’t perform any other processing of the data, an attacker can construct an attack like this:
https://insecure-website.com/search?term=<script>/*+Bad+stuff+here...+*/</script>This URL results in the following response:
<p>You searched for: <script>/* Bad stuff here... */</script></p>If another user of the application requests the attacker’s URL, then the script supplied by the attacker will execute in the victim user’s browser, in the context of their session with the application.
Lab
This lab contains a simple reflected cross-site scripting vulnerability in the search functionality.
To solve the lab, perform a cross-site scripting attack that calls the alert function.
Write-up
Very simple lab, though the expected payload to trigger the solve is alert(1) and nothing else is accepted. Upon landing on the challenge, you notice a simple search functionnality. Watch how any input gets reflected in the URL through the ?search= query.
Inject a simple check
<script>alert()</script>And notice it triggers the script code, however the chall is not solved. At this point you understood the lab, and worked it out so you can safely assume they expect a specific command trigger. PLUS it’s supposedly the first challenge you’re supposed to solve for XSS, so check the solution and notice they expect alert(1) specifically. Lab solved.