I decided to understand the essence and mechanism of xss. I wrote a simple html:
<html> <head> <title> xss </title> </head> <body> <H1> test </H1> <br /> <?php echo $_GET['in']; ?> </body> </html>
If I refer to him like
then output the string I passed, but if I try to write a script
then nothing happens.
What am I doing wrong?
Most likely, you are using Chrome: the Chrome XSS Auditor handles such simple reflected XSS, in which case messages about blocking script execution will be displayed on the "Console" tab of the developer panel.
But keep in mind that Chrome will not necessarily protect against any reflected XSS , you can still browse the search results by " chrome xss auditor bypass ".
I think this game from Google , where you can get acquainted with different types of XSS, will be of interest to you.