Reflected XSS — URL Parameter Echo

Scenario

A search page at ?q=<your-term> echoes whatever you typed back onto the page without escaping HTML. There is also a piece of JS on the page that reads a "secret" flag from a window.__FLAG variable but never displays it. Your job: inject JavaScript that reads window.__FLAG and shows it to you.

Objective

Cause the page to display the value of window.__FLAG (either via alert(), by writing it into the page, or by reading it from DevTools console once your payload runs).

The flag has the shape TC{xss_…}.

Primer — why this works

If the server (or, in this lab, the static page's own JS) does this:

<p>You searched for: <span id="q-echo"></span></p>
<script>
  const q = new URLSearchParams(location.search).get('q');
  document.getElementById('q-echo').innerHTML = q;   // ← innerHTML, not textContent
</script>

…then any <script> or event-handler-bearing HTML you put in q will execute in the page's origin.

Steps

1. Open the lab in the right pane.
2. Note that ?q=hello simply echoes "hello".
3. Construct a payload in the q parameter that runs JavaScript and reveals window.__FLAG.
4. Read the flag from the alert / page / console output.
5. Paste it into the Submit Flag box below.

Tips

• <script> tags inserted via innerHTML do not execute in modern browsers — you'll need a different vector.
• Event handlers on injected tags do execute. Think <img src=x onerror=…>.
• The lab page lives inside a sandboxed iframe (allow-scripts allow-forms, no allow-same-origin). Your payload runs inside that opaque-origin iframe; it cannot reach lab.techclick.in's cookies or storage — and that's the point. The lesson is the vuln, not the privilege escalation.

Acceptance

• The page (inside the iframe) renders the flag value, or an alert dialog showing the flag.
• The flag you submit matches the canonical SHA-256.