Reflected XSS

Attacker Date in HTTP Request -> included in response. Sample Use: Attacker can craft malicious link and send them to victims. On visiting them, victim also passes xss payload (like GET parameter) to server that gets returned with the response and executed. This way simple phishing link can execute JS of victim.

Lab #1: Between HTML Tags Reflected XSS into HTML context with nothing encoded Find a feature that allows for user input to be inserted into response: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#event-handlers-that-do-require-user-interaction

To solve the lab need to trigger alert staight awaty: