[2/6] Level 2: Persistence
Mission Description
This level demonstrates stored (persistent) XSS where malicious scripts are saved to the server and executed every time the page is loaded.
Mission Objective: Post a message that will execute JavaScript for anyone who views the page.
Message Board
Hints
This is similar to Level 1, but your input is being stored. Try posting
HTML tags.
The vulnerability is in how posts are displayed. Each post's content is
directly inserted into the page.
Post this message:
<img src=x onerror="alert('XSS')">
let posts = [];
function addPost() {
const message = document.getElementById('message').value;
if (message.trim()) {
posts.push(message);
document.getElementById('message').value = '';
renderPosts();
}
}
function renderPosts() {
const container = document.getElementById('posts');
container.innerHTML = '';
posts.forEach(post => {
const div = document.createElement('div');
div.className = 'post';
// VULNERABLE: Directly inserting stored content
div.innerHTML = `
<div class="post-author">Anonymous</div>
<div class="post-content">${post}</div>
`;
container.appendChild(div);
});
}