[1/6] Level 1: Hello, XSS

Mission Description

This level demonstrates a common cause of cross-site scripting where user input is directly included in the page without proper escaping.

Mission Objective: Inject a script to pop up a JavaScript alert() in the application below.

Search Engine

✓ Level Complete! You successfully executed an XSS attack.

Hints

Try entering some HTML tags in the search box. What happens when you search for <h1>Hello</h1>?
If HTML tags are being rendered, that means the input isn't being escaped. Can you inject a <script> tag?
Try searching for: <script>alert('XSS')</script>
function doSearch(event) {
  event.preventDefault();
  const query = document.getElementById('query').value;
  const result = document.getElementById('result');
  
  // VULNERABLE: Directly inserting user input into HTML
  result.innerHTML = 'You searched for: ' + query;
  
  // Execute any script tags (simulates server-side rendering)
  const scripts = result.querySelectorAll('script');
  scripts.forEach(script => eval(script.textContent));
}