WEBVERSE

Loading...

hardReflected XSSPro

Millrace

A brewery site's debug pane echoes your user-agent. Maybe don't let you set that.

Unlock with Pro

The Scenario

Millrace is a microbrewery and taproom that hosts live music. Their homepage has a tiny debug pane echoing the visitor's user-agent into an HTML comment for troubleshooting. The /debug page lets anyone set their session-scoped UA to any string they like. You can see the problem from here.

Challenge Intel

Synopsis

The reflection source isn't the URL — it's the User-Agent.

What It Is

A Flask taproom site that echoes the UA into an HTML comment on the homepage, with a /debug form to override the session-scoped UA.

Who It's For

Someone who looks beyond the obvious query-string reflection.

Skills You'll Practice

  • Identifying header/cookie-based inputs
  • Session-scoped override mechanics
  • Comment-escape XSS

What You'll Gain

  • Broadened mental model of 'user input'
  • Pattern for finding non-obvious reflection sources

Ready to hack Millrace?

Upgrade to Pro to unlock this challenge and the full library.

View Pro Plans