A03 — XSS Demo RAW (unsafe)

This single page shows Stored XSS (session-based “comments”) and Reflected XSS (echoed query). Toggle modes to compare: SAFE RAW

Stored XSS Reflected XSS

Stored XSS — Session “Comments”

no output encoding

Add a “comment” that’s saved in your PHP session. In RAW mode we render it as-is (scripts execute!).

  1. Try posting: <script>alert('stored')</script>.
  2. Switch RAW/SAFE to see the difference.
Reset Comments

Comments

No comments yet.

Reflected XSS — Echoed Query

direct echo

The input below is reflected back to the page. In RAW mode we render it directly (XSS).

  1. Try: <img src=x onerror=alert('reflect')>
  2. Or: <svg onload=alert(1)>
Clear

Reflected Output

Nothing reflected yet.