[1/6] Level 1: Hello, XSS
Mission Description
This level demonstrates a common cause of cross-site scripting where user input is directly included in the page without proper escaping.
Mission Objective: Inject a script to pop up a JavaScript
alert() in the application below.
Search Engine
Hints
Try entering some HTML tags in the search box. What happens when you
search for
<h1>Hello</h1>?
If HTML tags are being rendered, that means the input isn't being escaped.
Can you inject a
<script> tag?
Try searching for:
<script>alert('XSS')</script>
function doSearch(event) {
event.preventDefault();
const query = document.getElementById('query').value;
const result = document.getElementById('result');
// VULNERABLE: Directly inserting user input into HTML
result.innerHTML = 'You searched for: ' + query;
// Execute any script tags (simulates server-side rendering)
const scripts = result.querySelectorAll('script');
scripts.forEach(script => eval(script.textContent));
}