easyReflected XSSFree
Ember Kettle
A small tea shop's brand-new online catalog has a search bar that trusts everything you give it. No filter, no escape, no second thoughts.
The Scenario
Ember Kettle opened their online catalog last Saturday. The owner's niece built the search feature the night before launch — it's the one thing on the site nobody's reviewed. Browse the shop, poke at the search, and see what a curious visitor can drop in.
Challenge Intel
Synopsis
First reflected-XSS solve. No filters, no bypasses.
What It Is
A tiny Flask catalog where the search endpoint echoes your query straight back into the page with no escaping. The canonical first XSS lab.
Who It's For
Absolute beginners to cross-site scripting.
Skills You'll Practice
- Locating reflected user input
- Crafting a minimal inline script payload
- Observing payload execution in a live browser
What You'll Gain
- Confidence that reflected XSS is real and trivially exploitable
- A working baseline payload to build on in later labs
- Mental model of 'input that becomes output becomes code'