easyReflected XSSFree
Fermata
A piano-tuner booking site still has a debug comment baked into production. It echoes your input — right into an HTML comment.
The Scenario
Fermata connects clients with piano tuners. An old debug line left over from development drops the booking reference into an HTML comment so ops can scan View Source for bad IDs. It never occurred to anyone that comments are just text — not a fence.
Challenge Intel
Synopsis
Reflection lives inside an HTML comment. Break out.
What It Is
A Flask booking page that drops the ?ref= parameter into an HTML <!-- comment --> for debugging.
Who It's For
A student who's comfortable with body and attribute contexts and wants the comment-context variant.
Skills You'll Practice
- Identifying HTML-comment reflection
- Using --> to escape a comment
- Re-opening a comment to keep downstream HTML valid
What You'll Gain
- Understanding that comments aren't a security boundary
- Pattern for debug-oriented leaks in real codebases