Reflected XSS Bootcamp

Lab: GET Parameter Reflection

Difficulty: Low

Lab Overview

This lab demonstrates a basic reflected XSS vulnerability where user input from GET parameters is directly reflected in the page without proper sanitization.

Objective: Execute a JavaScript alert using the XSS vulnerability in the form below.

Backend Source Code

if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo $_GET["fname"];
    echo $_GET["lname"];
}

Test Input Form

Hints & Tips

Try injecting simple script tags to test if they're executed
Remember that the code directly outputs your input without sanitization
Check how your input is rendered in the page source after submission
This is a classic example of reflected XSS via GET parameters