easyReflected XSSFree
Rivet & Tack
A family leather shop reflects your order ID right into the page — and can't be bothered with quote marks around the attribute.
The Scenario
Rivet & Tack is a two-generation leather shop out of Millerton — belts and dog collars from $48, custom saddle work by appointment, founded 1986. The order-lookup page was bolted on by the owner's nephew, a high-school junior who'd just discovered View Source and was prouder of how the markup read than of what the browser would do with it.
Challenge Intel
Synopsis
Unquoted attribute context — no breakout needed, just new attributes.
What It Is
A PHP order-lookup page that reflects the ID into an <input value=REFLECTED> with no quotes at all.
Who It's For
A student who's solved quoted-attribute XSS and wants the unquoted variant.
Skills You'll Practice
- Recognising unquoted attribute reflection
- Space-delimited attribute injection
- Using autofocus + onfocus to fire JS without a click
What You'll Gain
- Awareness that XSS payloads don't always need angle brackets
- Pattern-matching unquoted-attribute vulnerabilities in the wild
- A second attribute-context technique in the toolkit