easyReflected XSSFree
Rivet & Tack
A family leather shop reflects your order ID right into the page — and can't be bothered with quote marks around the attribute.
The Scenario
Rivet & Tack is a two-generation family leather shop. The nephew who built their order-lookup page thought the markup "looked cleaner" without quotes around the attribute value. He didn't think about what happens next.
Challenge Intel
Synopsis
Unquoted attribute context — no breakout needed, just new attributes.
What It Is
A PHP order-lookup page that reflects the ID into an <input value=REFLECTED> with no quotes at all.
Who It's For
A student who's solved quoted-attribute XSS and wants the unquoted variant.
Skills You'll Practice
- Recognising unquoted attribute reflection
- Space-delimited attribute injection
- Using autofocus + onfocus to fire JS without a click
What You'll Gain
- Awareness that XSS payloads don't always need angle brackets
- Pattern-matching unquoted-attribute vulnerabilities in the wild
- A second attribute-context technique in the toolkit