easyReflected XSSFree
Sandpiper Stationery
A boutique stationer's shipment-tracking form politely echoes your reference number back into the page. Too politely.
The Scenario
Sandpiper's a small wedding-invitation studio. Their brand-new tracking page echoes the reference number back into the input so you don't have to retype on errors. The echo happens inside an HTML attribute — but nobody double- checked what that means when the value contains punctuation.
Challenge Intel
Synopsis
The reflection lands inside a quoted attribute. Break out first, then script.
What It Is
A Sinatra shipment-tracking form that echoes the reference number back into an <input value="..."> attribute with no escaping.
Who It's For
Someone who's solved one body-context XSS lab and is ready for the next context.
Skills You'll Practice
- Recognising attribute-context reflection
- Breaking out of a quoted HTML attribute
- Injecting a script tag after attribute escape
What You'll Gain
- A first taste of 'context is everything' in XSS exploitation
- Payload pattern for quoted-attribute breakouts
- Recognition of how benign-looking echo features become vulnerabilities
Ready to hack Sandpiper Stationery?
This challenge is free. Sign up and start hacking.