Sandpiper Stationery
A boutique stationer's shipment-tracking form politely echoes your reference number back into the page. Too politely.
The Scenario
Sandpiper Stationery is a three-person wedding-invitation studio on the Cape, founded 2012 — letterpress suites from $640, six-to-eight week lead times, an Etsy following that finally outgrew the Etsy template. Their first standalone site went up in March. The tracking page was a last-minute add the freelancer described as "five lines, can't go wrong" the afternoon before launch.
Challenge Intel
Synopsis
The reflection lands inside a quoted attribute. Break out first, then script.
What It Is
A Sinatra shipment-tracking form that echoes the reference number back into an <input value="..."> attribute with no escaping.
Who It's For
Someone who's solved one body-context XSS lab and is ready for the next context.
Skills You'll Practice
- Recognising attribute-context reflection
- Breaking out of a quoted HTML attribute
- Injecting a script tag after attribute escape
What You'll Gain
- A first taste of 'context is everything' in XSS exploitation
- Payload pattern for quoted-attribute breakouts
- Recognition of how benign-looking echo features become vulnerabilities
Ready to hack Sandpiper Stationery?
This challenge is free. Sign up and start hacking.