easyReflected XSSFree
Ember Kettle
A small tea shop's brand-new online catalog has a search bar that trusts everything you give it. No filter, no escape, no second thoughts.
The Scenario
Ember Kettle is a single-storefront tea shop that's been on Bellweather Lane since 2019 — about ninety loose-leaf SKUs, a Saturday morning cupping club, and a brand-new online catalog that went up last weekend. The owner's niece built the search bar the night before launch and the owner promised she'd "have someone look at it" once the holiday rush was over. Nobody has yet.
Challenge Intel
Synopsis
First reflected-XSS solve. No filters, no bypasses.
What It Is
A tiny Flask catalog where the search endpoint echoes your query straight back into the page with no escaping. The canonical first XSS lab.
Who It's For
Absolute beginners to cross-site scripting.
Skills You'll Practice
- Locating reflected user input
- Crafting a minimal inline script payload
- Observing payload execution in a live browser
What You'll Gain
- Confidence that reflected XSS is real and trivially exploitable
- A working baseline payload to build on in later labs
- Mental model of 'input that becomes output becomes code'