← vuln-lab catalog

Reflected XSS (client-side)

The q query parameter is echoed straight into the page through innerHTML with no encoding — a reflected client-side sink. (The server-side twin lives at /api/search.)

(no query yet)

Trigger: /xss/reflected.html?q=<img src=x onerror=alert(1)>

Detected by: browser_cdp_dom_xss_trace, browser_cdp_js_sink_monitor