Reflected XSS into HTML context with nothing encoded

Instructions

This lab contains a simple reflected cross-site scripting vulnerability in the search functionality.

To solve the lab, perform a cross-site scripting attack that calls the alert function.

Whatever we enter into the search box is reflected in an <h1> tag with nothing escaped.

If we send the following payload, we get an alert triggered showing the domain from which the payload executed.

Working payload

?search=test123<script>alert(document.domain)</script>

This solves the lab.

Always check the contect in which input is reflected. Use "View as HTML" to see what/how it's being output encoded.