xss Getting started with xss Search Results Example


Let's assume we have a search results page that displays a user's search query back to them. The code below is an example of how this could be done in PHP:

Results for "<?php echo $_GET['query'] ?>"

For this to work, you would access the page with a URL like:


In the response, we get:

Results for "stackoverflow"

Now we will attempt to inject our payload into the response:


And our new response:

Results for "<script>alert(1)</script>"

We have successfully injected our XSS payload.