mediumReflected XSSPro
Porchlight
A tool library escapes angle brackets religiously. They just forgot the quotes.
The Scenario
Porchlight lends power tools to 300 neighborhood members. Their developer knows you're supposed to html-escape user input before putting it in a page. She did. The reflection happens to land inside an unquoted attribute — a context where html-escaping angles doesn't buy you anything.
Challenge Intel
Synopsis
Escaping angles doesn't help when there are no quotes.
What It Is
A Sinatra inventory page that HTML-escapes its input but reflects into an unquoted attribute.
Who It's For
Someone who can explain why context matters for escaping.
Skills You'll Practice
- Attribute-context XSS without angle brackets
- Recognising context-wrong escaping
- Autofocus/onfocus as a trigger
What You'll Gain
- A concrete feel for why escaping alone isn't enough
- Pattern for unquoted-attribute exploits
Ready to hack Porchlight?
Upgrade to Pro to unlock this challenge and the full library.