Reflected XSS (Simulated)

Unsafe Output Handling • Intermediate

Output Encoding

Secure Mode• show fix Session• Cookie Recruiter• Mode

Objective: Inject markup into a server response.

Try: Supply HTML-like input.

🧨 Design: Unsafe vs safe output. Same input. Totally different outcomes.

Everything here is simulated and sandboxed to this site—no real accounts, no real services.

Demo How it works Issue Exploit Fix Video

1) Demo

Here is the feature “working” as implemented in this mode.

App Output

Unsafe Render (what the server would do)

hello

We do not execute scripts here — we only show what would be injected.

Safe Render (escaped)

hello

Secure mode escapes output by default.

Response

Status: 200 OK Response Headers: (none)

2) How the code works

This section shows the mental model: what the server is “thinking”.

return "<div>"+input+"</div>"; // unsafe

3) The issue

Unescaped output can turn user input into executable HTML/JS.

Real-world impact: Session theft, account takeover, fake UI injection.

4) Exploit it

Edit the raw request below. You can change method, path/query, headers, and body. Then send it. The server will parse what you typed and re-run the simulation.

Request Editor

Tip: For secure mode tests, add a cookie like: Cookie: session=1; role=Admin

Parsed View (what the server read)

method: GET path: /search?q=hello headers: host: kylerburke.dev body: (empty)

Exploit Editor Hidden (Recruiter Mode)

This mode is designed for sharing your portfolio. It focuses on clear explanation, real-world impact, and fixes—without interactive exploitation.

Want to demo the exploit? Turn Recruiter Mode off and use the Request Editor.

5) Fix

Secure Mode shows the fix behavior. Flip modes and send the same request.

Escape output by default; use safe templating; CSP for defense-in-depth.

Video

Short visual explanation to match what you just did.

Swap the YouTube ID in the Worker to pick a different explainer video for this vulnerability.